GIR-Guide To Sanctions Edition 2 Unlocked

7
US Sanctions Enforcement by OFAC and the DOJ
David Mortlock, Britt Mosman, Nikki Cronin and Ahmad El-Gamal1
Introduction
The US Department of the Treasury’s Office of Foreign Asset Control (OFAC) adminis-
ters and enforces most economic and trade sanctions. Specifically, OFAC is responsible for
civil enforcement of US sanctions laws, and its regulations are enforced on a strict liability
basis, meaning that OFAC does not need to prove fault or intent to enter an enforcement
action and issue a civil penalty. In addition to OFAC, the US Department of Justice (DOJ)
and the US Attorney may pursue criminal investigations and enforcement actions for wilful
violations of US sanctions laws. Federal criminal prosecutions of sanctions violations are
generally conducted on referral by OFAC, although the DOJ may choose to pursue some
cases on its own initiative.2 Other regulators, such as the Financial Crimes Enforcement
Network (FinCEN) and the New York State Department of Financial Services, may impose
additional penalties for failure to maintain specific controls to help ensure compliance with
OFAC-administered regulations. Both federal and state regulators may pursue enforcement
actions for the same conduct simultaneously, which could lead to multiple investigations
by multiple entities. In 2019, then OFAC Director Andrea Gacki made it clear that OFAC
would no longer give credit for all types of fines paid to other agencies in global, multi-agency
settlements.3 This change in how OFAC calculates fines could lead to increased penalties in
global settlement agreements where OFAC would have taken into account the amount of
fines and penalties being levied by other agencies when determining the final penalty amount.
1 David Mortlock and Britt Mosman are partners and Nikki Cronin and Ahmad El-Gamal are associates at
Willkie Farr & Gallagher LLP.
2 31 CFR Part 501 Appendix A (II)(F).
3 Dylan Tokar, Treasury Department Changes Approach to Fines in Sanctions Cases, Wall Street Journal
(14 June 2019), available at www.wsj.com/articles/treasury-department-changes-approach-to-fines-in-sanc
tions-cases-11560552590.
114
© Law Business Research 2021
During 2020, the number of enforcement actions closed and published by OFAC
decreased significantly when compared to 2019. 2020 saw approximately US$23 million in
penalties across 16 enforcement actions compared to approximately US$1.3 billion in penal-
ties across 26 enforcement cases in 2019. One potential cause of this decrease may be the
disruption caused by the covid-19 pandemic throughout 2020 and early 2021, but it could
also be a continuation of the yearly fluctuation and variance in the amount of cases closed
by OFAC. It remains to be seen whether the number of cases will continue to trend upwards
or remain steady once a sense of normalcy has returned. Despite the decreased number of
closed and published enforcement actions, OFAC has continued to pursue novel and more
aggressive enforcement theories, including showing a willingness to pierce the corporate veil
and pursue enforcement cases for even indirect contact with US financial institutions and
expanding its jurisdiction in the wake of technological advancement. OFAC also published
its first enforcement action related to digital currency transactions on 30 December 2020,
followed closely by a second enforcement action related to digital currency transactions in
February 2021, indicating that the agency is ready to aggressively pursue enforcement actions
against apparent violation involving transactions using digital currency transactions nearly
two years after the publication of FAQs 559–563.4
Notably, there has been little judicial review or oversight of OFAC’s enforcement theories.
Almost all cases that are not resolved by no-action or cautionary letters are settled, and very
few are challenged in court. However, there are exceptions to this general trend, including
Exxon Mobile Corporation’s challenge of a US$2 million civil penalty imposed by OFAC,
which resulted in the penalty being vacated by a District Court in the Northern District of
Texas on the grounds that OFAC failed to provide fair notice regarding the agency’s interpre-
tation of the relevant sanctions regulations.5 Additionally, in enforcement actions concluded
after the May 2019 release of OFAC’s ‘A Framework for Compliance Commitments’ (the
Framework),6 OFAC has assessed parties’ compliance with the Framework as an aggravating
or mitigating circumstance, tracking the parties’ violation against the Framework. The new
trends in enforcement, highlighted by recent OFAC cases, show that a strong compliance
programme in line with the Framework is a key factor for parties seeking to avoid OFAC
enforcement actions moving forward.
Investigation
Commencement
The US government can learn of a potential sanctions violation in a number of ways, but the
primary means of discovery are through voluntary self-disclosures (VSDs), reports of blocked
4 Published in March 2018, FAQs 559–563 detail the compliance responsibilities of entities involved in the
digital currency industry or using digital currency as a means of conducting transactions as well as providing
key definitions and information on how OFAC will use existing authorities to bring enforcement actions
with respect to apparent violations involving the use or transfer of digital currency. See OFAC Frequently
Asked Questions ‘Questions on Virtual Currency,’ available at https://home.treasury.gov/policy-issues/
financial-sanctions/faqs/topic/1626.
5 See Exxon Mobil Corporation v. Steven Mnuchin, CIVIL ACTION NO. 3:17-CV-1930-B (N.D. Tex. 2019).
6 US Department of the Treasury, ‘A Framework for OFAC Compliance Commitments’, at www.treasury.gov/
resource-center/sanctions/Documents/framework_ofac_cc.pdf.
115
and rejected transactions, referrals from other government agencies, and even publicly avail-
able information, such as media reports.
If a company conducts an internal investigation or otherwise learns of a potential viola-
tion itself, it may submit a VSD to OFAC. A VSD has many benefits, described further
below, including a significant reduction in the base penalty calculation for any potential
enforcement action. Depending on the particular circumstances of a violation, the submis-
sion of a VSD and subsequent cooperation with OFAC should be carefully considered.
A VSD is not the only means by which the government learns of potential violations.
The government frequently learns of violations through reports generated by US persons,
primarily banks, that have blocked or rejected a transaction based on a suspected sanctions
violation. US persons are required under the sanctions regulations to submit blocking and
reject reports to OFAC within 10 business days of the action to block or reject a transaction.
Beginning in June 2019, new regulations require that all US persons report rejected transac-
tions to OFAC within 10 days.7 Previously, all parties already had an obligation to report
transactions involving blocked property to OFAC, but only US financial institutions had
the obligation to report rejected transactions. OFAC may also learn of sanctions violations
through anti-money laundering reports, primarily suspicious activity reports (SARs), which
are also typically submitted by banks and other financial institutions.
Learning of apparent violations through blocked or rejected transaction reports8
In an enforcement action against Hotelbeds USA, OFAC was notified of the apparent violations
when a US financial institution blocked a payment relating to a Cuba-travel transaction and
Hotelbeds USA sought a specific licence to unblock the funds, which was denied by OFAC.
OFAC may also learn of potential violations through other government agencies, including
foreign governments. Criminal investigations conducted by the DOJ and other federal and
state law enforcement can lead to the discovery of sanctions violations.
Notification
Once OFAC learns of a potential violation and decides to launch an investigation, OFAC
may make an initial request for information with an administrative subpoena or, depending
on the nature of the violation, direct a more informal set of questions to the involved parties,
including non-US persons.
Notably, a 2019 DC Circuit Court decision – which required three Chinese banks, two
of which have US branches, to comply with the government’s grand jury subpoenas and
document production orders in connection with the violation of the US sanctions on North
Korea – expanded the ability of US federal prosecutors to subpoena the financial records of
foreign financial institutions during an investigation.9 The Court held that in instances where
a foreign bank has a US branch, it consents to federal court jurisdiction on matters overseen
7 See 31 CFR Part 501.

8 See OFAC ‘Enforcement Information for June 13, 2019’, at https://home.treasury.gov/system/
files/126/20190612_hotelbeds_0_1.pdf.
9 See In re: Sealed Case, No. 19-5068 (D.C. Cir. Aug. 6, 2019).
116
by the Federal Reserve including money laundering and sanctions violations.10 The Court
also held that the Attorney General’s power under the Bank Secrecy Act to compel a foreign
bank to produce documents is not limited to transactions that pass directly through a foreign
bank’s US foreign account, but also any foreign records with a connection to the bank’s US
correspondent account.11
The DOJ’s authority to issue subpoenas to foreign financial institutions was expanded
under the Anti-Money Laundering Act of 2020 (AMLA). In addition to having the authority
to issue subpoenas to foreign financial institutions that maintain a correspondent account in
the United States for records related to the correspondent account, the AMLA expanded the
DOJ’s subpoena power to cover ‘any account at the foreign bank, including records main-
tained outside of the United States’ if those records are part of a broad list of enforcement
actions, including criminal prosecutions or violations of the Bank Secrecy Act (BSA).12
Competent authorities
The authorities responsible for enforcing US sanctions are primarily OFAC (responsible
for civil enforcement) and the DOJ (responsible for criminal enforcement). Furthermore,
financial regulators, including the New York State Department of Financial Services and the
Federal Reserve Board, among others, may impose fines and other penalties for compliance
failures associated with insufficient sanctions compliance programmes.
Substantive offences
Each sanctions programme administered by OFAC is different depending on the aims of
the government. OFAC sanctions programmes generally prohibit US persons from engaging
in transactions, directly or indirectly, involving designated individuals or entities (persons).
Other sanctions programmes, such as those against Cuba and Iran, are comprehensive in
nature, generally prohibiting exports of goods or services by US persons or from the United
States to those territories. Regardless, there are common elements for a finding of an apparent
violation, generally a breach of regulations for an embargo or transaction involving specially
designated nationals and blocked persons or entities subject to sectoral sanctions. OFAC
regulations are civil in nature, meaning they generally do not require mens rea, intent or
knowledge for an apparent violation to be found and a penalty to be assessed. However, if the
apparent violation included a wilful attempt at evading, avoiding, attempting or conspiring
to evade or avoid, or facilitating a prohibited transaction, it could expose the party to crim-
inal liability and prosecution by the DOJ.
OFAC’s enforcement authority and procedures are further defined by OFAC’s general
enforcement guidelines at 31 CFR 501 Appendix A. These enforcement guidelines establish
the factors for calculating the base penalty amounts, based on a number of specific factors
including whether the violation is egregious or non-egregious and whether the violations
were voluntarily disclosed to OFAC.
10 id. at 10.
11 id. at 9.
12 31 USC § 5315(k) as amended by the Anti-Money Laundering Act 2020.
117
Piercing the corporate veil13
In an enforcement action against the General Electric Company (GE), OFAC signalled its will-
ingness to pierce the veil in enforcement cases by entering enforcement proceedings against GE
regarding apparent violations by three of its non-US subsidiaries. The three non-US subsidiaries
of GE had accepted 289 payments from the Cobalt Refinery Company, a party owned in part by
the Cuban government and on OFAC’s list of specially designated nationals and blocked persons.
Foreign persons that are owned or controlled by a US person are required to comply with the
restrictions imposed by the Cuban Assets Control Regulations.
In an enforcement action against Berkshire Hathaway Inc, OFAC again pierced the veil by
entering an enforcement proceeding against Berkshire for apparent violations of the Iranian
Transaction and Sanction Regulations (ITSR) by its indirectly wholly owned Turkish subsidiary.
These actions were conducted under the direction of certain senior managers in Turkey, despite
Berkshire and other Berkshire subsidiaries’ repeated communications and policies sent to the
Turkish subsidiary regarding US sanctions against Iran and the application of the ITSR to its
operations in Turkey. The ITSR explicitly state that a penalty shall be imposed against the US
parent for a foreign subsidiary’s prohibited dealings with Iran.
Indirect contact with US financial institutions14
In an enforcement action against British Arab Commercial Bank (BACB), OFAC considered
even tenuous and indirect contact with US financial institutions as grounds for an enforcement
action. OFAC found that BACB had violated Sudanese sanctions despite the fact that the trans-
actions at issue were not processed to or through the US financial system. BACB operated a
nostro account in a country that imports Sudanese-origin oil for the stated purpose of facilitating
payments involving Sudan. The bank funded the nostro account with large, periodic US dollar
wire transfers from banks in Europe, which in turn transacted with US financial institutions in a
manner that violated OFAC sanctions.
13 See OFAC ‘Enforcement Information for October 1, 2019’, at https://home.treasury.gov/system/

files/126/20191001_ge.pdf; see OFAC ‘Enforcement Information for October 20, 2020’, at https://home.
treasury.gov/system/files/126/20201020_berkshire.pdf.
14 See OFAC ‘Enforcement Information for September 17, 2019’, at https://home.treasury.gov/system/
files/126/20190917_bacb.pdf.
118
Expanded jurisdiction15
In an enforcement action against Société Internationale de Télécommunications Aéronautiques

SCRL (SITA), OFAC showed its willingness to penalise non-US companies for transactions that
would not have been covered by OFAC’s jurisdiction if they had not used US servers. OFAC’s
basis for jurisdiction over SITA, a global information technology services provider headquartered
in Switzerland and serving commercial air transportation, was that the technology provided to
sanctioned parties was hosted on and incorporated functions that routed messages through US
servers and contained US-origin software.
Enforcement tracked to OFAC’s Framework for Compliance Commitments16
In an enforcement action against Eagle Shipping International, OFAC stated:
As noted in OFAC’s Framework for Compliance Commitments, this case demonstrates the importance
for companies operating in high-risk industries (e.g., international shipping and trading) to implement
risk-based compliance measures, especially when engaging in transactions involving exposure to juris-
dictions or persons implicated by US sanctions.
Scrutiny of the cryptocurrency industry17
In an enforcement action against BitGo, Inc, OFAC signalled its intent to enforce sanctions
compliance in the cryptocurrency industry. The apparent violations involved users located in
sanctioned jurisdictions signing up for and accessing BitGo’s secure digital wallet management
services to engage in digital currency transactions. Despite having access to the IP addresses of
its customers, tracked at the time for security purposes related to logins, BitGo did not use
that information for sanctions compliance purposes. OFAC highlighted the importance of enti-
ties involved in providing digital currency services to implement sanction compliance controls
commensurate with their risk profile. The fact that BitGo did not implement appropriate,
risk-based sanction compliance controls and had reason to know the users were located in sanc-
tioned jurisdictions based on their IP addresses were seen as aggravating factors.
15 See OFAC ‘Enforcement Information for February 26, 2020’, at https://home.treasury.gov/system/

files/126/20200226_sita.pdf.
16 See OFAC ‘Enforcement Information for January 27, 2020’, at https://home.treasury.gov/system/
files/126/20200127_eagle.pdf.
17 See OFAC ‘Enforcement Information for December 30, 2020’, at https://home.treasury.gov/system/
files/126/20201230_bitgo.pdf; see OFAC ‘Enforcement Information for February 18, 2021’, at https://home.
treasury.gov/system/files/126/20210218_bp.pdf.
119
In an enforcement action against BitPay, Inc, OFAC signalled that companies involved in
providing digital currency services would be subject to the same compliance requirements as finan-
cial institutions. BitPay offers a payment processing solution for its direct merchant customers
to accept digital currency. Specifically, BitPay would receive digital currency payments on behalf
of its merchant customers and convert the digital currency to fiat currency before relaying that
currency to the merchant. While BitPay screened its direct customers, BitPay failed to screen loca-
tion data it obtained about its merchant buyers. As a result, BitPay processed 2,102 transactions
on behalf of individuals located in sanctioned jurisdictions.
Conducting transactions indirectly that would otherwise be considered a

violation18
In an enforcement action against Generali Global Assistance, Inc (GGA), OFAC highlighted the
importance of ensuring that sanctions compliance policies and procedures address both direct
and indirect sanctions compliance risks. GGA served as a travel services provider on behalf of two
Canadian insurers that offered policies for Canadian subscribers who travelled to Cuba, providing
medical expense claim processing and payment services to one of the Canadian insurers. For
payments intended for Cuban service providers, GGA would intentionally refer the requests to
a Canadian affiliate and then reimburse that affiliate for the amounts paid. In the enforcement
action, OFAC specifically noted the sanctions risks of implementing a procedure to process, indi-
rectly, transactions whose direct processing would be prohibited by US sanctions laws.
The Department of Justice enforces criminal sanctions violations. Criminal liability may
be imposed against a person who wilfully commits, attempts to commit, or conspires to
commit, or aids or abets in the commission of, an unlawful act pursuant to the International
Emergency Economic Powers Act (IEEPA), the Act pursuant to which most sanctions regula-
tions are issued. Criminal liability pursuant to IEEPA may include a fine of not more than
US$1 million or, if a natural person, a prison term of not more than 20 years, or both.19
Mitigating and aggravating factors

OFAC regulations outline the general factors that OFAC will consider when determining
the appropriate enforcement response to an apparent violation of its regulations. Factors that
OFAC will consider to be aggravating or mitigating include:
• wilful or reckless violation of law, including factors such as concealment, a pattern of
conduct and management involvement;20
18 See OFAC ‘Enforcement Information for October 1, 2020’, at https://home.treasury.gov/system/files/126/

gga_web_posting_10012020.pdf.
19 50 USC 1705(c).
20 See OFAC ‘Enforcement Information for April 15, 2019’, at https://home.treasury.gov/system/
files/126/20190415_uni_webpost.pdf.
120
OFAC’s enforcement action against UniCredit Bank AG highlighted the bank’s wilful intent to
circumvent US sanctions, citing formal UniCredit Bank AG documents containing policies and
procedures that instructed bank personnel to ensure payment structures were formatted in a way
to hide the participation of OFAC-sanctioned parties.
• awareness of the conduct at issue;21
OFAC found that Standard Chartered Bank had actual knowledge or reason to know of its
apparent violations of several sanctions regulations, including the Cuban Assets Control
Regulations and the Iranian Transactions and Sanctions Regulations, which OFAC deemed an
aggravating factor.
• harm to sanctions programme objectives, including factors such as economic benefit to

the sanctioned country and whether the conduct was likely to have been eligible for an
OFAC licence;22
OFAC found that Jiangsu Guiqiang Tools Co Ltd (GQ), a subsidiary of Stanley Black & Decker,
Inc, which agreed to pay the penalty for both itself and GQ, harmed the objectives of the Iranian
Transactions and Sanctions Regulations by conferring an economic benefit to Iran in a systematic
scheme involving the export and attempted export of several shipments of power tools and spare
parts to a third country with knowledge that the goods were intended specifically for supply,
trans-shipment or re-exportation to Iran.
• individual characteristics of the party in question, such as commercial sophistication and

whether the party has received a penalty notice or a finding of violation from OFAC in
the five years preceding the date of the transaction giving rise to the violation;23
In OFAC’s enforcement action against Cubasphere Inc for violations of the Cuban Assets Control
Regulations, OFAC considered the fact that Cubasphere was a small company with few employees
as a mitigating factor. By contrast, in OFAC’s enforcement action against Apollo Aviation Group,
LLC (Apollo) for violations of the Sudanese Sanctions Regulations, OFAC highlighted Apollo’s
size and sophistication as an aggravating factor.
21 See OFAC ‘Enforcement Information for April 9, 2019’, at https://home.treasury.gov/system/

files/126/20190408_scb_webpost.pdf.
22 See OFAC ‘Enforcement Information for March 27, 2019’, at https://home.treasury.gov/system/
files/126/20190327_decker.pdf.
23 See OFAC ‘Enforcement Information for June 13, 2019’, at https://home.treasury.gov/system/
files/126/20190612_cubasphere.pdf; and OFAC ‘Enforcement Information for November 7, 2019’, at https://
home.treasury.gov/system/files/126/20191107_apollo.pdf.
121
• the existence, nature and adequacy of a compliance programme in place at the time of
the violation;24
In OFAC’s enforcement action against Haverly Systems, Inc for violations of the Ukraine Related
Sanctions Regulations, OFAC considered the fact that Haverly did not have a formal OFAC sanc-
tions compliance programme at the time the apparent violations occurred an aggravating factor.
• the remedial response that the party took upon learning of the violation;25 and
In OFAC’s enforcement action against PACCAR, Inc on behalf of its wholly owned subsidiary
DAF Trucks NV (DAF) for violations of the Iranian Transactions and Sanctions Regulations,
OFAC considered the remedial actions taken by DAF a mitigating factor. On learning of the
apparent violations, DAF conducted an internal investigation, dismissed employees involved in
some of the apparent violations, cancelled the delivery of 20 trucks for customers that appeared
to have sold or allowed DAF trucks to be sold to buyers in Iran, provided compliance training
annually to DAF subsidiaries and implemented enhanced trade compliance controls in an effort
to prevent similar apparent violations from reoccurring.
• cooperation with OFAC, through a VSD or subsequent cooperation during the investiga-
tion (or both).26
In OFAC’s enforcement action against Stanley Black & Decker, Inc and its subsidiary, OFAC
found that Stanley Black & Decker’s cooperation with OFAC, including an extensive internal
investigation and meaningful responses to OFAC’s requests for additional information was a
mitigating factor.
A key factor, as evidenced by recent OFAC decisions, is the existence and maintenance
of an adequate compliance programme in line with OFAC’s Framework for Compliance
Commitments. Beginning in 2020, each of the decisions published by OFAC has included a
paragraph referencing the Framework.27
24 See ‘OFAC Enforcement Information for April 25, 2019’, at https://home.treasury.gov/system/

files/126/20190425_haverly.pdf.
25 See ‘OFAC Enforcement Information for August 6, 2019’, at https://home.treasury.gov/system/
files/126/20190806_paccar.pdf.
26 See ‘OFAC Enforcement Information for March 27, 2019’, at https://home.treasury.gov/system/
files/126/20190327_decker.pdf.
27 See, for example, ‘OFAC Enforcement Information for December 30, 2020’, BitGo, Inc., at https://home.
treasury.gov/system/files/126/20201230_bitgo.pdf (‘On May 2, 2019, OFAC published A Framework for
OFAC Compliance Commitments in order to provide organizations subject to US jurisdiction, as well as foreign
entities that conduct business in or with the United States or US persons, or that use US-origin goods or services,
with OFAC’s perspective on the essential components of a sanctions compliance program. The Framework also
outlines how OFAC may incorporate these components into its evaluation of apparent violations and resolution
122
As with OFAC, the DOJ generally views voluntary disclosure, full cooperation and timely
and effective remedial measures as mitigating factors. The guidelines from the DOJ’s updated
VSD policy,28 discussed in further detail below, breaks down full cooperation as:
• timely disclosure of all facts;
• proactive cooperation;
• preservation, collection and disclosure of relevant documents (Guidelines list examples);
• deconfliction of witness interviews;
• retention of business records and prohibition of the improper destruction or deletion of
those records; and
• any additional steps that demonstrate recognition of the seriousness of misconduct,
acceptance of responsibility and implementation of measures to reduce risk of a repeti-
tion of the misconduct.
The updated policy also lays out what the DOJ considers as aggravating factors during
an investigation for criminal sanctions violations. The aggravating factors listed by the
DOJ include:29
• exports of items controlled for nuclear nonproliferation or missile technology reasons to
a proliferator country;
• exports of items known to be used in the construction of weapons of mass destruction;
• exports to a foreign terrorist organisation or specially designated global terrorist;
• exports of military items to a hostile foreign power;
• repeated violations, including similar administrative or criminal violations in the past; and
• knowing involvement of upper management in the criminal conduct.
The DOJ released an update to its ‘Evaluation of Corporate Compliance Programs’30 guidance
document, on 1 June 2020. The ‘Principles of Federal Prosecution of Business Organizations’
include several factors that prosecutors should consider when conducting an investigation
of a corporation, including the adequacy and effectiveness of a corporation’s compliance
programme at the time of an offence. Maintaining an effective compliance programme may
be considered an additional mitigating factor.
When determining whether a corporation has an effective compliance programme, the
DOJ considers three main questions:
• Is the corporation’s compliance programme well designed?
• Is the compliance programme being applied earnestly and in good faith?
• Does the corporation’s compliance programme work in practice?
of investigations resulting in settlements. The Framework includes an appendix that offers a brief analysis of some
of the root causes of apparent violations of US economic and trade sanctions programs OFAC has identified
during its investigative process.’).
28 US Department of Justice [DOJ], National Security Division, ‘Export Control and Sanctions Enforcement
Policy for Business Organizations’ (13 December 2019), at www.justice.gov/nsd/ces_vsd_policy_2019/
download.
29 id.
30 DOJ, Criminal Division, ‘Evaluation of Corporate Compliance Programs’ (updated June 2020), at https://www.
justice.gov/criminal-fraud/page/file/937501/download.
123
Best practice for corporations in an investigation

If an investigation has commenced, parties should endeavour to proactively collaborate with
the agency conducting the investigation. OFAC enforcement actions have shown that it
considers cooperation to be a mitigating factor in an enforcement case and the DOJ has
stated that for a party to receive the benefits of a VSD, the party must fully cooperate with
the DOJ. Generally, full cooperation includes but is not limited to internal investigations
to discover the root cause of an apparent violation, responding to regulators’ requests for
additional information in a timely and complete manner, preserving all sensitive or relevant
documents, implementing and collaborating with regulators to develop and implement effec-
tive remedial measures, and, in the case of a DOJ investigation, deconflicting and making
available any potential witnesses. Under no circumstances should parties attempt to hide or
destroy evidence of an apparent violation once an investigation has commenced. Any indica-
tion of actions opposing an investigation is likely to lead to investigators taking a more hostile
approach and may also constitute an offence of obstructing proceedings before departments,
agencies, and committees pursuant to 18 USC 1505 or conspiracy to obstruct justice under
18 USC 371. Parties should also consider notifying relevant non-US regulators, shareholders,
counterparties, insurers and other interested parties.
Self-reporting
Reporting to OFAC
As previously mentioned, OFAC views the self-disclosure of apparent violations favourably.
The self-disclosure of a violation can significantly reduce a potential civil penalty amount. To
be considered voluntary, a disclosure must be self-initiated and made to OFAC before either
OFAC or any government agency or official discovers the apparent violation. Notification
of an apparent violation to another government agency, which is considered a VSD by that
agency, may be considered a VSD to OFAC on a case-by-case basis. When making a VSD
to OFAC, the VSD must include or be followed by a report containing sufficient details to
provide a complete understanding of the circumstances of the apparent violation. In some
instances, it may be beneficial to the party to make a preliminary disclosure to OFAC before
knowing all the facts so as to make a timely disclosure yet ensure that the disclosure is volun-
tary. Parties should also ensure that their VSD and follow-up report contain all the details
known at the time they are submitted. Parties submitting VSDs should also be prepared to
respond to any follow-up enquiries by OFAC.31
However, not all notifications to OFAC of an apparent violation will be considered a
VSD. Specifically, a notification will not be considered a VSD if a third party notifies OFAC
of the apparent violation or substantially similar apparent violation because it blocked or
rejected a transaction, or if the disclosure:
• includes false or misleading information or is materially incomplete;
• is not self-initiated;
• is made without the authorisation of senior management; or
• is in response to an administrative subpoena or other enquiry form.32
31 31 CFR 501 Appendix A (I)(I).

32 id.
124
Filing a licence application with OFAC is also not considered a VSD.33

Reports to OFAC in certain instances are required by OFAC regulations. Specifically, US
persons are required to submit reports of rejected and blocked transactions to OFAC within
10 business days of the action.34 These reports typically are made by financial institutions
and must include details of the rejected or blocked transactions, such as the parties, accounts
involved, and date and amount of payment. Additionally, annual reports on blocked property
must be filed with OFAC by 30 September of each year.35 It is important to note that these
reports will not be considered a VSD to OFAC and the disclosure of violations that OFAC
has already been made aware of by a reject or blocking report submitted by another party will
not receive the benefits of a VSD.
Reporting to the DOJ

On 13 December 2019, the DOJ released an updated VSD policy.36 Under the new policy,
all business organisations, including financial institutions, are eligible for the full range
of benefits of the DOJ’s self-disclosure programme. Although there is no requirement to
self-report to the DOJ, owing to the timeliness requirements discussed below, a VSD must
be made early in the investigation process if it is to receive credit from the DOJ.
Mirroring other DOJ self-disclosure policies, companies are now eligible for credit when
they (1) voluntarily self-disclose export control or sanctions violations to National Security
Division’s Counterintelligence and Export Control Section (CES), (2) fully cooperate with
the investigation, and (3) remediate any violations appropriately and in a timely manner. The
threshold for eligibility is self-disclosure of potential violations to CES; self-disclosing to any
other regulatory agency does not qualify a party as a self-discloser under the new DOJ policy.
For the purposes of the DOJ’s VSD policy, for a party’s disclosure to be considered volun-
tary it must be made prior to an imminent threat of disclosure or government investigation,
and within a reasonably prompt time after discovery of the offence, and the party must
disclose all relevant facts known to it at the time of the disclosure. The DOJ recognises that
parties may not know all relevant facts at the time of disclosure, especially if the parties sub-
mit a VSD based on a preliminary investigation. The policy states that if that is the case, a
party should make clear that it is making its disclosure based on a preliminary investigation
or assessment of information while still providing all available information.
To receive credit for full cooperation, parties are required to disclose all relevant facts in
a timely manner; to cooperate proactively with the DOJ; to preserve, collect and disclose all
relevant documents and information; to deconflict witness interviews when required; and
to make officers and employees of the party available for interviews by the DOJ when so
requested. The policy notes that eligibility for cooperation credit does not depend on the
waiver of the attorney–client privilege or the work-product protection, although experi-
ence suggests that the DOJ typically initiates a discussion on privilege at some point during
corporate investigations.
33 id.
34 31 CFR 501.603 and 501.604.
35 id.
36 DOJ, National Security Division, ‘Export Control and Sanctions Enforcement Policy for Business Organizations’
(13 December 2019), at https://www.justice.gov/nsd/ces_vsd_policy_2019/download.
125
Finally, parties are required to demonstrate a thorough analysis of the causes of underly-
ing conduct and, where appropriate, engage in remediation; implement an effective compli-
ance programme; discipline employees identified by the party as responsible for the oversight;
retain business records and prohibit the improper destruction of those records; and take any
additional steps that demonstrate recognition of the seriousness of a party’s misconduct.
Considerations before self-reporting

In general, costs associated with making a VSD to either OFAC or the DOJ include legal
expenses, government scrutiny, reputational harm and, potentially, large monetary penalties.
Tied to the additional scrutiny and investigation by government agencies, apparent violations
of US sanctions laws other than those disclosed in the VSD may be discovered during the
course of an investigation. When parties are deciding whether or not to submit a VSD, they
must weigh these negative factors against the likelihood that a government agency indepen-
dently discovers or is notified by a third party of the apparent violation and the nature and
value of the apparent violation.
As mentioned above, a VSD submitted to either OFAC or the DOJ will only be accepted
if it is made before there was a significant likelihood that the government would be notified
of the apparent violation or otherwise discover it on its own. Additionally, by not making a
VSD, parties are forfeiting a valuable opportunity to frame the issue and present any mitigat-
ing factors before a government investigation commences.
Prior to proceeding with a VSD, parties should also consider the date a potential violation
occurred. The statute of limitations for sanctions violations is generally five years from the
date of the apparent violation. However, as part of the settlement process parties may enter
into tolling agreements with OFAC, which is considered a mitigating factor, to extend the
statute of limitations if it is at risk of expiring during the course of the investigation and set-
tlement process. Parties should also be aware that while the statute of limitation for sanctions
violations is generally five years, a criminal investigation conducted by the DOJ may uncover
violations of other statutes with significantly longer statutes of limitations. One example
is the bank fraud statute, which carries a 10-year statute of limitations.37 Additionally, the
presence of a conspiracy to violate sanctions laws may extend the statute of limitations as
the statute of limitations does not begin until the final overt act committed for its benefit.
Depending on the situation, a party may be safe in limiting its investigations and the sub-
mission of VSDs to conduct within the past five years; however, parties should be aware that
there are instances where the statute of limitations is greater than five years.
Considerations before submitting a VSD to OFAC

The submission of a VSD to OFAC can have several benefits, including as a mitigating
factor when calculating a penalty or, in some cases, allowing a party to avoid an enforce-
ment action. OFAC may decline to take action if it determines that the conduct does not
constitute a violation, or it may decide that the conduct does not warrant a civil monetary
penalty and issue a cautionary letter instead.38 However, the main benefit of a VSD is that,
37 See 18 USC 1344.

38 31 CFR 501 Appendix A (II)(C).
126
if accepted, the VSD will reduce the base amount of the penalty by approximately 50 per
cent in both egregious and non-egregious cases.39 As mentioned above, VSDs are not the
only mitigating factors that OFAC takes into account when determining the amount of a
penalty. Parties should immediately take any reasonable remedial measures after discovering
the apparent violation and discuss those measures in their submission. Additionally, parties
should maintain a compliance programme in line with OFAC’s Framework for Compliance
Commitments and, to the extent possible, map the apparent violation against their compli-
ance programme and how the party has remedied, or intends to remedy, the deficiency in its
programme that caused the apparent violation.
Further, when submitting a VSD to OFAC, a party must consider the chance that OFAC
may launch a broader investigation of the party and find additional, undisclosed violations
under one of its many sanctions programmes or violations that cause OFAC to notify other
government agencies, including a potential referral to the DOJ for criminal enforcement.
While notifications made to other government agencies may be considered a VSD for
OFAC enforcement purposes, a VSD to OFAC will not qualify as a VSD made to the DOJ.
Therefore, parties should carefully consider if there was an element of wilfulness in the appar-
ent violations or other activity that would be considered criminal in nature and would cause
OFAC to refer the case to the DOJ. If a party believes that the case may be referred to the
DOJ, it should consider submitting a VSD to the DOJ either prior to, or simultaneously
with, submitting its VSD to OFAC to take advantage of the DOJ’s VSD policy.
Considerations before submitting a VSD to the DOJ

If the party satisfies the three requirements of the DOJ’s VSD policy – (1) voluntarily
self-disclosing a violation, (2) fully cooperating with the investigation, and (3) remediating
any violations appropriately and in a timely manner – there is a presumption that the party
will receive a non-prosecution agreement and will pay no fine, absent aggravating factors.
However, even if a party receives a non-prosecution agreement, at a minimum the party will
not be permitted to retain any of the unlawfully obtained gain and will be required to pay all
disgorgement, forfeiture or restitution resulting from the misconduct.
Additionally, even if aggravating circumstances exist, the DOJ will still recommend a
fine of at least 50 per cent less for a qualifying party than otherwise would have been levied,
and will not require the imposition of a monitor if the party has implemented an effective
compliance programme at the time of resolution. In addition to maintaining compliance
programmes in line with OFAC’s Framework, parties should ensure their programmes meet
the criteria laid out in the DOJ’s updated ‘Evaluation of Corporate Compliance Programs’
guidance document.
While the new VSD policy certainly has issues that businesses must consider before
self-reporting, for businesses and the newly included financial institutions, the revised pol-
icy is also a potential lifeline to protect them from large financial penalties and potential
39 31 CFR 501 Appendix A (V)(B)(a).
127
criminal prosecution as seen in recent DOJ cases regarding UniCredit,40 Société Générale41
and Halkbank.42 Despite this, there are still issues with the policy that may deter business
organisations from submitting VSDs to the DOJ.
One factor to take into consideration under the new policy is that it makes clear that a
VSD to a regulatory agency will not be enough to qualify for the benefits of the DOJ policy.
This is in contrast with OFAC’s position that notification of an apparent violation to another
government agency that is considered a VSD by that agency may be considered a VSD by
OFAC based on a case-by-case assessment. This, coupled with the requirement that a VSD be
made before any imminent threat of disclosure or government investigation, means that par-
ties must decide early in their investigation of a potential violation of sanctions or export laws
if they need to file with both regulatory agencies and the DOJ. Investigations can take unex-
pected turns, however, transforming an ostensible civil issue into a potential criminal matter
if evidence of wilfulness is discovered. However, by filing with the DOJ, a party could expose
itself to a potential criminal investigation and heavy, continuing disclosure obligations.
Moreover, the policy applies only to the DOJ and does not bind other regulators, includ-
ing state banking regulators such as the New York State Department of Financial Services
or the Federal Reserve. Those other enforcement authorities have their own programmatic
mandates, which may be inconsistent with the outcomes available under the new policy. Put
differently, self-reporting to the DOJ may earn you the carrot from the DOJ, but you may
still face the stick from other regulators.
The key to effectively utilising this policy rests in the foundation of a party’s compliance
policies and procedures. Even if the policies and procedures fail to prevent a violation from
occurring, they can assist a party in quickly determining the nature and degree of the viola-
tion. This should help parties recognise earlier in their investigation of a potential violation
whether they need to issue a VSD to the DOJ.
Other notification requirements

During the past few years, the US Securities and Exchange Commission (SEC) has taken a
more active role in reviewing economic sanctions compliance. The SEC appears to have taken
an interest because of the risks associated with a violation of US sanctions laws. The SEC has
used comment letters43 to request additional information from parties regarding the finan-
cial and reputational risks from costly regulatory action that may be associated with their
disclosures to OFAC and their business activities in sanctioned countries. The proportion of
40 See DOJ press release of 15 April 2019, at https://www.justice.gov/opa/pr/unicredit-bank-ag-agrees-plead-guilt

y-illegally-processing-transactions-violation-iranian.
41 See DOJ press release of 19 November 2018, at https://www.justice.gov/usao-sdny/pr/manhattan-u
s-attorney-announces-criminal-charges-against-soci-t-g-n-rale-sa-violations.
42 See DOJ press release of 15 October 2019, at https://www.justice.gov/opa/pr/turkish-bank-charged-manhatta
n-federal-court-its-participation-multibillion-dollar-iranian.
43 SEC ‘comment letters’ refer to either letters submitted in response to requests for public comment, or, in this
instance, to correspondence between SEC staff and SEC filers. The SEC may use comment letters to request
that a party provide additional supplemental information, revise disclosure in a document on file with the SEC,
provide additional disclosure in a document on file with the SEC, or provide additional or different disclosure in
a future filing with the SEC. There may be several rounds of letters as the SEC’s staff and the filer work to resolve
a particular issue.
128
comment letters discussing sanctions issues has risen from 1.5 per cent in 2014 to 4.5 per cent
in 2018.44 Despite this, the SEC has not traditionally acted as an enforcement agency in the
mould of OFAC or the DOJ, only seeking disclosure and reporting of sanctions-related risks.
However, in a recent Foreign Corrupt Practices Act (FCPA) case against Quad/Graphics,
the SEC found that, in addition to violating anti-bribery and bookkeeping offences, Quad/
Graphics participated in a scheme to circumvent US sanctions and export control laws.45
The DOJ had declined to prosecute Quad/Graphics despite finding evidence of bribery and
did not reference the sanctions evasion scheme.46 It remains to be seen whether the SEC will
continue to use provisions of the FCPA to enforce US sanctions laws. Based on this and the
increased frequency of the SEC’s requests for information and disclosure of sanctions-based
risks, parties should consider notifying the SEC of apparent violations. However, this should
be done while keeping in mind the requirements for VSD submissions to OFAC and
the DOJ.
In addition to the SEC, parties should be aware that OFAC maintains memoranda of
understanding (MOUs) with several state and federal banking regulatory agencies.47 These
MOUs outline how OFAC and the banking regulators will share information regarding
apparent violations of US sanctions. Banking regulators, such as the Federal Reserve, may
impose penalties on the financial institutions they oversee in connection with apparent vio-
lations of US sanctions laws. The jurisdiction of these regulators is generally based on the
requirements for safe and sound banking practices, which may include compliance with
US economic sanctions and financial crime laws and requirements to disclose sanctions
risks.48 Accordingly, financial institutions should consider notifying their banking regulators
of apparent violations if they plan to submit a VSD to OFAC. However, as discussed with
respect to the SEC, this should be done while conscious of the requirements for VSD sub-
missions to OFAC and the DOJ.
Parties should also assess whether the apparent violation of US sanctions laws also vio-
lates the sanctions laws of other jurisdictions. For example, if a party operates in both the
United States and the United Kingdom and commits an apparent violation that would be in
breach of sanctions law in both countries, the party should consider making a disclosure to
44 Menghi Sun and Mark Maurer, ‘SEC Questions More Companies About Sanctions Disclosures’, Wall Street
Journal (28 August 2019) (citing Audit Analytics), at www.wsj.com/articles/sec-questions-more-companie
s-about-sanctions-disclosures-11567018243.
45 See Securities and Exchange Commission press release of 26 September 2019, at www.sec.gov/news/
press-release/2019-193.
46 See DOJ Response Letter, Re: Quad/Graphics Inc, at https://www.justice.gov/criminal-fraud/file/1205341/
download.
47 The US Department of the Treasury maintains a list of memoranda of understanding between OFAC
and state and federal banking regulators at https://home.treasury.gov/policy-issues/financial-sanctions/
civil-penalties-and-enforcement-information/2019-enforcement-information/memoranda-of-understan
ding-between-ofac-and-bank-regulators.
48 See, for example, ‘Board of Governors of the Federal Reserve System, Order to Cease and Desist and Order of
Assessment of Civil Money Penalty Issued Upon Consent Pursuant to the Federal Deposit Insurance Act, as
Amended, In the Matter of Standard Chartered PLC’ (8 April 2019) available at https://www.federalreserve.
gov/newsevents/pressreleases/files/enf20190409a1.pdf. (Stating that Standard Chartered PLC and Standard
Chartered Bank were fined for unsafe and unsound practices relating to inadequate sanctions controls and failure
to disclose sanctions risks to the Federal Reserve.)
129
both OFAC and the UK’s Office of Financial Sanctions Implementation. Foreign regulatory
agencies may share information regarding apparent violations directly or learn of an apparent
violation if it is published by a foreign regulator. Therefore, a party should ensure that it
considers whether its actions violate non-US sanctions laws and whether the party would be
subject to the jurisdiction of non-US regulators.
Additionally, parties should be aware of how public perception and negative press relating
to the discovery of an apparent violation can materially affect a party’s reputation. A VSD and
a detailed plan to implement remediation measures targeting the root cause of the apparent
violations may mitigate some of the associated reputational damage. However, regardless
of how the apparent violation was reported or discovered, public scrutiny still represents a
risk factor for future business partners and investors. As a result, reputational damage could
lead to lost opportunities and burdensome due diligence requirements imposed by potential
business partners.
Anti-money laundering
Suspicious activity reports
As mentioned above, anti-money laundering investigations can overlap with investigations of
apparent sanctions violations. Additionally, disclosures to one regulatory authority can notify
other authorities of potential violations leading to overlapping investigations for different
violations caused by the same action. A financial institution that intentionally attempts to
deceive US regulatory authorities or cover up an apparent violation of US sanctions laws, for
example, is likely to simultaneously engage in violations of anti-money laundering laws.49
Under the BSA, financial institutions50 are required to report ‘any suspicious transac-
tion relevant to a possible violation of law or regulation’. FinCEN has issued regulations
implementing the BSA requiring certain financial institutions, including banks, securities
broker-dealers, introducing brokers, casinos, futures commission merchants and money ser-
vices businesses, to report any suspicious activity above a certain dollar threshold in a SAR.
Each industry has its own form and, generally, the report must be submitted within 30 days
of the detection of the suspicious activity.
As discussed in earlier sections of this chapter, OFAC requires financial institutions to
submit reports regarding any transactions that were rejected or blocked as a result of the
49 An example of simultaneous sanctions and anti-money laundering enforcement can be found in the ongoing
case of Halkbank. The Turkish state-owned bank allegedly participated in a multibillion-dollar scheme to evade
US sanctions on Iran, including facilitating fraudulent transactions designed to appear to be purchases of food
and medicine. The DOJ referenced the knowing involvement of senior officers at the bank and discussions on
how best to structure transactions to evade scrutiny by US regulators. As is often the case with schemes to avoid
sanctions, Halkbank violated anti-money laundering laws by using fraudulent pretences and representations to
defraud financial institutions. See United States v. Halkbank, Superseding Indictment S6 15 Cr. 867 (RMB), at
www.justice.gov/opa/press-release/file/1210396/download.
50 The Bank Secrecy Act defines ‘financial institutions’ at 31 USC 5312. This list at 31 USC 5312(a)(2) includes,
but is not limited to, insured banks, commercial banks or trust companies, private bankers, brokers and dealers
in securities or commodities, investment bankers or companies, insurance companies, certain casinos and any
businesses or agencies that engage in any activity which the Secretary of the Treasury determines, by regulation,
to be an activity that is similar to, related to, or a substitute for any activity in which any business described in
31 USC 5312(a)(2) is authorised to engage.
130
involvement of a person on OFAC’s list of specially designated nationals and blocked per-
sons. These transactions would be considered suspicious activity under the BSA due to the
possibility that they violate US sanctions regulations, and financial institutions would be
required to submit a SAR to FinCEN. However, FinCEN’s requirements will be satisfied
by filing a rejection or blocking report to OFAC.51 OFAC will then pass the information to
FinCEN, where the activity will be logged in the suspicious activity reporting database and
become available to law enforcement agents. However, FinCEN notes that to the extent a
financial institution has information related to the activity that was not disclosed or included
in the blocking report, the financial institution should file a separate SAR with FinCEN
including that information.52
As discussed above, a notice of an apparent violation through a third-party rejection or
blocking report will negate any benefit that a party may have received from submitting a
VSD. Additionally, because the information filed in a rejection or blocking report will be
passed to FinCEN and made available to law enforcement, it could trigger additional inves-
tigations relating to money laundering or other civil and criminal offences. Parties should be
aware of how regulators share information and how a third-party report may trigger multiple
investigations from several government agencies, negating any benefit the party would receive
from self-reporting the apparent violation.
In understanding and examining the risks associated with third-party reports, parties
should also be aware of the AMLA, ultimately passed on 1 January 2021. The AMLA
expands the BSA to include measures to strengthen FinCEN and inter-agency coordina-
tion and enforcement, among other provisions such as enhanced regulatory coverage of
non-traditional exchanges of value and new beneficial ownership reporting requirements.
As noted above, one way that OFAC may learn of apparent violations of US sanctions laws
is through information shared by foreign regulatory bodies. The AMLA requires the US
Treasury department to create a three-year pilot programme allowing financial institutions
to share SARs information with the institution’s foreign branches, subsidiaries, and affiliates
for the purpose of combating illicit finance risks.53 Additionally, the AMLA also requested
the establishment of an exchange designed to facilitate information sharing between financial
institutions, law enforcement agencies, national security agencies and FinCEN.54
As these programmes continue to develop, the enhanced information-sharing mecha-
nisms and procedures could lead to faster detection by or notification of a potential viola-
tion to OFAC, negating any benefits that would be received by self-reporting as the report
would no longer be considered voluntary by OFAC. The implementation and effect of these
information-sharing programmes should be monitored by parties, and their potential impact
on the time it takes for OFAC to independently discover or be notified of an apparent viola-
tion considered when deciding if and when to file a VSD.
51 See FinCEN Interpretive Guidance ‘Interpretation of Suspicious Activity Reporting Requirements to Permit the
Unitary Filing of Suspicious Activity and Blocking Reports’, December 2004, available at www.fincen.gov/sites/
default/files/guidance/20041214a.pdf.
52 id.
53 31 USC § 5318(g)(8) as amended by the Anti-Money Laundering Act, 2020.
54 31 USC § 310(d) as amended by the Anti-Money Laundering Act, 2020.
131
Resolution of investigations
OFAC has a variety of enforcement options available to it upon learning of a potential viola-
tion of US sanctions. If OFAC determines that there is insufficient evidence that a violation
has occurred or concludes that the conduct does not warrant an administrative response, then
no action will be taken.55 In cases where OFAC is aware that the subject of the investiga-
tion knows of OFAC’s investigation, OFAC will generally issue a no-action letter. If OFAC
determines that there is insufficient evidence of a violation but that the activity in question
could lead to a violation or that there is a lack of due diligence in assuring compliance with
US sanctions laws, OFAC may issue a cautionary letter.56 A cautionary letter will generally lay
out OFAC’s concerns about the underlying conduct or concerns regarding the compliance
policies, practices and procedures that led to the apparent violation. If OFAC determines that
a violation has occurred but that a civil monetary penalty is not appropriate, OFAC may issue
a finding of violation.57 Although there is no monetary penalty involved, OFAC announces
findings of violations in press releases and publishes a notice containing the description of the
violations and its analysis, which can cause reputational damage to a party.
Cautionary letter58
In OFAC’s enforcement action against AppliChem GmbH, OFAC noted that it had previously
issued a cautionary letter to Illinois Tool Works Inc, a US company that acquired AppliChem,
regarding AppliChem’s post-acquisition sales to Cuba.
OFAC may also impose a civil monetary penalty upon determining that a violation has
occurred.59 These penalties will be determined in line with OFAC guidelines and subject
to the mitigating and aggravating factors described above. Parties may also decide to enter
into a settlement with OFAC to reduce their maximum exposure to penalties.60 Settlement
discussions may be initiated by OFAC or the party that committed the apparent violation.
Settlements can be made before or after the issuance of a pre-penalty notice and may also
include multiple apparent violations, even if they are covered under separate pre-penalty
notices. Notably, OFAC settlements may be a part of a comprehensive settlement with other
federal, state or local agencies.
55 31 CFR 501 Appendix A (II)(A).

56 31 CFR 501 Appendix A (II)(B).
57 See US Department of the Treasury, ‘Enforcement Release April 30, 2020: OFAC Issues a Finding of Violation
to American Express Travel Related Services Company for Violations of the Weapons of Mass Destruction
Proliferators Sanctions Regulations’, at https://home.treasury.gov/system/files/126/20200430_amex.pdf.
58 See ‘OFAC Enforcement Information for February 14, 2019’, at https://home.treasury.gov/system/
files/126/20190214_applichem.pdf.
59 31 CFR 501 Appendix A (II)(E).
60 31 CFR 501 Appendix A (V)(C).
132
Global settlement61
UniCredit Bank AG agreed to pay approximately US$611 million to OFAC as part of a larger,
US$1.3 billion settlement with federal and state government partners.
Finally, OFAC may refer a case to appropriate law enforcement if it determines that the
activity warrants a criminal investigation or prosecution (or both).62
Similar to the multiple options available to and utilised by OFAC, the DOJ has a variety
of enforcement options available to it when closing a case. First, it may choose to resolve a
case using a deferred prosecution agreement (DPA) or a non-prosecution agreement (NPA).
Under a DPA, the DOJ will bring charges against the party committing the violation but
agrees not to proceed with those charges so long as the party follows a negotiated set of require-
ments or conditions. Under an NPA, the DOJ will not file charges against the party and will
generally require the party to comply with certain conditions or pay a fine. Additionally,
DPAs and NPAs may impose a corporate monitor on the party to the agreement. The party
bears the costs of the corporate monitor and the scope of the monitor’s oversight responsibili-
ties are negotiated by the party and the DOJ. The DOJ may also seek the forfeiture of assets
relating to the apparent violation as part of the penalties assessed against the party.
If the DOJ initiates an investigation either through a referral by another government
agency or independent discovery of an apparent violation, the offending party may be
charged under numerous criminal statutes depending on the nature of the violation. For
example, a single party may be charged for a wilful violation of IEEPA while simultaneously
being charged for fraud, criminal money laundering and other offences committed in coordi-
nation with the apparent violation.63 These could lead to significant monetary penalties and
potential imprisonment for individuals involved in the apparent violation.
61 See, e.g., US Department of the Treasury press release, ‘U.S. Treasury Department Announces Settlement with
UniCredit Group Banks’ (15 April 2019), at https://home.treasury.gov/news/press-releases/sm658.
62 31 CFR 501 Appendix A (II)(F).
63 See DOJ press release of 15 October 2019, at https://www.justice.gov/opa/pr/turkish-bank-charged-manhatta
n-federal-court-its-participation-multibillion-dollar-iranian (‘[Halkbank] was charged today in a six-count
indictment with fraud, money laundering, and sanctions offenses related to the bank’s participation in a
multibillion-dollar scheme to evade U.S. sanctions on Iran.’).
133
Part II
Compliance Programmes

13
Principled Guide to Sanctions Compliance Programmes
Zia Ullah and Victoria Turner1
The past decade has seen sanctions move up the risk agenda, becoming one of the most
significant risks for any business operating across multiple jurisdictions. Once only a real
concern for regulated financial institutions, the proliferation of enforcement action, by the
Office of Foreign Assets Control (OFAC) in particular, has forced all businesses, irrespective
of the sectors in which they operate, to consider the adequacy of their sanctions compli-
ance programmes. Add to this the pressure being brought to bear by those companies’ own
business partners to outline the mitigating steps they take to ensure downstream sanctions
compliance, and never has ensuring that an effective sanctions compliance programme is
implemented been more important. This chapter considers the key areas of focus that busi-
nesses and their teams should consider when developing sanctions compliance programmes.
Proportionate and risk-based programmes

Sanctions compliance programmes should be risk-based and proportionate. What is appli-
cable for one organisation will not be appropriate for another and enforcement agencies have
noted that an adequate compliance programme will very much depend upon factors unique
to each organisation (including their products, customers and nature of their business).2 All
regulators and enforcement agencies appear to be aligned on this concept.
The concept of proportionality is very important. Although on one measure, sanctions
compliance may be considered as a binary ‘comply or breach’ issue, the practical reality is that
a one-size-fits-all approach is not necessary or indeed cost-effective. The large-scale sanctions
mitigation strategies, which regulated businesses develop to ensure they are able to effectively
screen millions of customers and transactions every day, will not (nor should they) be the
1 Zia Ullah is a partner and Victoria Turner is a principal associate at Eversheds Sutherland. The authors wish to
extend special thanks to associate Lorena Dervishi for her assistance with this chapter.
2 Office of Foreign Assets Control [OFAC], FAQs 25 to 30.
195
same strategies that are employed by smaller businesses with only a fraction of the number of
customers or potential sanctions touch points across their business life cycles. As we outline
below, assessing the sanctions risks applicable to any particular business will ensure that the
most proportionate sanctions compliance programme is implemented for that enterprise,
taking into account the levels of resources that are available, or indeed appropriate.
Preventive measures
Prevention is key in terms of sanctions compliance. Regulators across the world take a dim
view of those institutions that fail to identify risks and seek to implement preventative meas-
ures to mitigate those risks. In this regard, sanctions compliance is no different from other
financial crime compliance. However, sanctions compliance has a number of unique and
specific challenges, including the constantly evolving regimes (sometimes daily) and the diffi-
cult position conflicting global regimes can create for global institutions. Being aware of the
challenges that sanctions compliance poses, staying on top of worldwide developments and
anticipating future changes are all key issues when identifying the preventative measures that
should be put in place and to ensure that they continue to operate in an effective manner.
Introducing preventative measures is essential in ensuring that an organisation is
complying with international sanctions. The development of policies and procedures,
customer screening systems, the provision of training, due diligence, transaction monitoring
and transaction screening are all key preventative measures that organisations should consider
putting in place. There is no one-size-fits-all when it comes to sanctions compliance and at
the heart of all compliance programmes should be a risk assessment. Understanding the sanc-
tions risk posed by your business and its third parties is the best place to start when devel-
oping an effective sanctions compliance framework.
Equally, understanding the root causes of apparent violations of sanctions is also extremely
helpful when designing and maintaining an effective sanctions compliance programme and
in identifying the preventative measures that may be appropriate. OFAC has provided some
helpful analysis of the root causes of sanctions violations, which include:
• lack of a formal sanctions compliance programme;
• decentralised compliance functions and lack of a formal escalation process;
• an inefficient or incapable audit function;
• failure to understand the applicability of sanctions;
• facilitation of transactions by non-US persons in respect of US sanctions;
• utilising the US financial system for commercial transactions involving persons or entities
subject to US sanctions;
• inadequate sanctions screening; and
• inadequate due diligence on customers and third parties.3
Many OFAC civil settlements have resulted from voluntary self-disclosures of apparent viola-
tions in which the above-mentioned preventative measures were not taken or were inad-
equate. Understanding where others have failed is a key component of determining whether
your own sanctions compliance programme will be effective.
3 See https://home.treasury.gov/news/press-releases/sm680.
196
What constitutes a good sanctions compliance programme?

Sanctions is, quite rightly, a high compliance priority for many businesses and, in recent
times, regulators and enforcement agencies have provided guidance on what to consider
when assessing a sanctions compliance programme. Key guidance to note includes:
• FAQs published by OFAC in respect of sanctions compliance;
• ‘A Framework for OFAC Compliance Commitments’ (dated 2 May 2019);4
• The Department of Justice’s (DOJ) ‘Guidance on Evaluating Corporate Compliance
Programs’ (issued in 2019 and updated in June 2020);5
• Office of Financial Sanctions Implementations’ (OFSI) general guidance on financial
sanctions (in particular Chapter 3 regarding compliance for businesses and financial
institutions);6
• Financial Conduct Authority’s (FCA) ‘Financial Crime Guide’;7 and
• EU Guidance on Internal Compliance Programmes.8
Although these guidance documents differ in certain elements, they are broadly in agreement
that the general core components of an effective sanctions compliance programme are:
• senior management commitment;
• risk assessment;
• policies, procedures and internal controls;
• training; and
• audit.
We examine each of these five components in more detail.
Senior management commitment

Senior management commitment is at the forefront of all guidance on sanctions compli-
ance programmes. Compliance should not operate in a vacuum and senior management
should understand the compliance programme’s purpose, the key risks faced by the organi-
sation (both inherent and residual) and how the programme is designed to work. Senior
management should demonstrate, at board level where appropriate, support for the compli-
ance programme and those within the business who are responsible for its development
and operation.
Both regulators and sanctions enforcement agencies expect senior management to review
and approve an organisation’s sanctions compliance programme. This must not be just a
tick-box process and regulators will look to senior management to provide support for the
5 See US Dep’t of Justice’s ‘Guidance on Evaluating Corporate Compliance Programs’ (issued in 2019 and
updated in June 2020) – although this is not specific to sanctions, it is helpful in understanding the approach
enforcement agencies may take when assessing whether or not a compliance framework was adequate.
6 See www.gov.uk/government/publications/financial-sanctions-faqs.
7 See www.handbook.fca.org.uk/handbook/FCG/7/ – in particular Chapter 7, which provides examples of good
practice for sanctions systems and controls.
8 Commission Recommendation (EU) 2019/1318 – although this focuses on compliance programmes for
dual-use trade controls, the overarching principles are arguably relevant to any sanctions compliance programme.
197
compliance programme within their organisation and demonstrate compliance themselves,

as well as a general culture that fosters positive and effective sanctions compliance. Senior
management should set the tone for the business, undertake sanctions compliance training
and regularly review sanctions risks faced by the business, providing effective challenge to the
risk and compliance function where appropriate.
Senior management should not stifle or prevent risk and compliance teams from imple-
menting and operating an effective sanctions compliance programme. Regulators and
enforcement agencies are keen to see adequate resources being provided to compliance teams
and that compliance and risk teams have a sufficient level of autonomy to implement poli-
cies and procedures designed to mitigate the sanctions risk identified within an organisation.
However, overall responsibility for sanctions compliance should lie with a chief compli-
ance officer, general counsel, or some other appropriate member of an organisation’s execu-
tive committee.
It should be noted that where issues arise as a result of potential failings in sanctions
compliance frameworks, senior management are often at the heart of any potential inves-
tigation into any failings, and as such they should ensure that they fully understand the
potential sanctions risks their businesses face and be able to articulate the steps they took to
ensure compliance.
Risk assessment
As previously stated, risk assessment is at the heart of an effective sanctions compliance
programme. Internal controls (including due diligence and screening), policies and proce-
dures and training cannot be done in an appropriate manner unless a risk assessment has been
conducted and the output is used to inform those elements of the compliance programme.
It is only when an organisation has considered and laid out its inherent sanctions risk that
it can truly start identifying controls and residual risk factors. A sanctions risk assessment
will vary significantly across different business types and sectors. Although there can be no
single approach to take, OFAC notes that a risk assessment ‘should generally consist of a
holistic review of the organisation from top-to-bottom and assess its touchpoints to the
outside world’.9 Equally, from a legal point of view, different legal requirements (including
cross-border requirements) pose different challenges and risks to different businesses.
Understanding the complexity of sanctions and the effects on your own individual business
is vital when implementing and managing an effective compliance programme.
In the United Kingdom, the Financial Conduct Authority (FCA) is clear that ‘a thorough
understanding of financial crime risks [including sanctions] is key if a firm is to apply propor-
tionate and effective systems and controls’.10 Corporate resources are not infinite and one of
the key benefits in conducting a risk assessment is that it enables an organisation to target
resource on the areas of greatest sanctions risk (alongside other financial crime-related areas).
Risk assessments should have a broad scope and should include assessment of:
• customer risk;
• product risk;
9 OFAC, ‘A Framework for OFAC Compliance Commitments’ (dated 2 May 2019), at https://home.treasury.gov/
news/press-releases/sm680.
10 Financial Conduct Authority [FCA], ‘Financial Crime Guide’, Box 2.2.4.
198
• geography risk;
• transaction risk; and
• delivery risk.
It is important to identify all potential sanctions risk and, in particular, where it is in the oper-
ation of your business that potential sanctions exposure may lie. As noted in ‘A Framework
for OFAC Compliance Commitments’, sanctions risk not only exists in the day-to-day
operations of a business but also in mergers and acquisitions, particularly where mergers
and acquisitions introduce cross-border considerations. As such, assessing the applicability of
various sanctions regimes to different parts of your business, customers, intermediaries, the
supply chain, counterparties and the geography of each of these is important. As stated previ-
ously, understanding the root causes of apparent sanctions violations is also important and
having an understanding of these root causes will result in a more productive risk assessment.
OFAC has helpfully provided a suggested risk matrix that may be used when assessing
compliance programmes.11
Policies, procedures and internal controls

Internal controls are the measures put in place by an organisation to mitigate the risks it
has identified. Examples of internal controls that may be appropriate in the context of sanc-
tions include:
• policies and procedures;
• customer and third-party screening;
• transaction screening;
• due diligence requirements;
• contractual provisions; and
• training.
Sanctions compliance programmes typically include, at their most basic, a sanctions policy
and, in some cases, a compliance manual (which may cover more than one area of financial
crime risk). Sanctions policies typically include explanations of what sanctions are, why they
are applicable to the business, why it is important to comply with them, what controls the
business has put in place to ensure compliance, what the obligations of individual employees
are and the consequences of failing to comply with the sanctions compliance programme.
Processes underpinning the internal controls put in place are often set out in a separate
compliance manual or procedures document, along with an appropriate internal reporting
and governance structure and exceptions process.
Internal controls for any financial crime compliance programme must be able to adapt to
ongoing changes and developments. This is particularly important in the context of sanctions
where changes to legal regimes occur frequently, where new entities and individuals are desig-
nated by one or more regulators and where geopolitics frequently result in changes in focus
by different governments across the world. An effective sanctions compliance programme
11 Annex to Appendix A to 31 C.F.R. Part 501, OFAC’s Economic Sanctions Enforcement Guidelines.
199
must be able to adapt to these evolutions and this should be built into the framework of the
internal controls.
Although there is generally no legal obligation within primary sanctions legislation to
conduct sanctions screening,12 it is often the only practical way an organisation can ensure
that it does not engage in conduct that would give rise to violations of sanctions. There are
multiple screening tools available to organisations, some of which will no doubt be better
suited to certain industries. However, what is important is that those responsible for the
screening solution within an organisation understand why the tool was selected, how it oper-
ates, how it is calibrated to meet the needs of the organisation and its risk assessment, and
how the underlying logic works. The effectiveness of sanctions screening tools, at both the
customer and transaction levels, should be regularly tested to ensure it is operating within the
parameters the organisation needs and expects.
Having a screening tool working in isolation is unlikely to be effective and the importance
of ensuring it is aligned to a risk assessment and due diligence requirements cannot be under-
stated. An organisation’s risk assessment should inform how a screening solution is utilised,
what is screened and when.
The importance of internal controls is not a new concept. The FCA’s predecessor, the
Financial Services Authority (FSA), fined Royal Bank of Scotland £5.6 million in 2010 as
a result of deficiencies in its systems and controls to prevent breaches of UK financial sanc-
tions. One of the key findings by the FSA was that the bank failed to properly consider what
policies and procedures were required to ensure it did not engage in activity that would
give rise to a violation of the UK sanctions regime. The regulator found that the bank was
not screening certain cross-border payments, that beneficial ownership information was not
adequately recorded and that, therefore, screening of that information was not sufficient.
Moreover, screening solutions were not monitored or reviewed regularly to ensure effective-
ness. Although no specific violations of sanctions were identified, the FSA determined that
the lack of appropriate internal controls gave rise to an unacceptable risk that UK sanctions
could have been breached. The FSA stressed that ‘adequate systems and controls relating to
financial sanctions is an integral part of complying with the [now FCA’s] requirements on
financial crime’.13 This message remains relevant today, and we continue to see action by regu-
lators across the world against organisations not only for actual violations of sanctions but
also because of the lack of adequate internal controls in preventing violations from occurring.
Training
An organisation could design the best sanctions compliance programme ever seen, but
failing to train employees adequately, not only on the programme itself but on the rationale
for having it (including legal and regulatory obligations), is a sure-fire way of ensuring the
compliance programme fails. While technology no doubt plays a significant role in any
compliance programme, the complexity of international sanctions and the need for various
12 In the United Kingdom, the European Union or the United States – although the writers acknowledge that
certain regulated entities may have obligations imposed on them by specific regulators, such as the New York
State Department of Financial Services in the US.
13 FCA Decision Notice, dated 2 August 2010.
200
controls to work alongside and in conjunction with each other means that, often, a sanctions
compliance programme is only as good as the people who implement it.
Training can take many forms and what is appropriate for one organisation will not
necessarily be appropriate for another. Organisations that operate across multiple jurisdic-
tions will no doubt need a more detailed training plan than a small organisation based only in
the UK, for instance. Again, the training requirements needed should flow from the outcome
of an organisation’s risk assessment and we would stress that it is important to consider the
root causes of sanctions violations to ensure that these are, where appropriate, addressed
within the training provided. Training may include:
• clear communication of internal controls, policies and procedures to relevant employees;
• internal face-to-face or webinar-based training in respect of sanctions obligations (of
the organisation and individual employees), legal and regulatory requirements, internal
controls and reporting obligations (both internally and externally). Many enforce-
ment authorities and regulators expect to see training being given regularly to relevant
employees, at least once a year; and
• external specialist training for those operating in vital roles within the risk and compli-
ance functions and high-risk areas within a business.
Training content should be developed so that it is relevant to the particular organisation.

Relevant sanctions regimes should be detailed and, where appropriate, the conflict between
regimes should be explained, alongside the organisation’s stance in respect of that conflict.
Role-specific knowledge should be provided and the obligations on individual employees
and on the organisation and its senior management should be made clear. Within regulated
firms, it is not unusual to see sanctions training programmes developed across the ‘three
lines of defence’ model (with the first line being relevant business operations or units, the
second line being risk and compliance functions, and the third line being internal audit),
such that training is delivered to teams operating in each of the first, second and third lines to
ensure that the specific risks and issues faced by those teams are considered specifically. This
also enables these firms to demonstrate to regulators that they have considered the risks of
breaching sanctions holistically.
Audit
Once a sanctions compliance programme is implemented, it is important to ensure that it is
regularly tested and evaluated to not only ensure it remains effective, but to ensure that the
programme is being implemented consistently throughout the organisation. Both internal
and external audits are useful in this regard and audits can be carried out on specific aspects
of a compliance programme, or on the programme as a whole.
Audits, whether internal or external, should be independent and should aim to identify
any deficiencies in the compliance programme, make recommendations for improvement
and follow up on action items to ensure audit points are closed off and remediated where
necessary. Linking back to the subject of senior management commitment, it is also recom-
mended that audit functions are held accountable by senior management and that updates
and reports on findings are presented to, and considered by, senior management.
Audit functions should provide a level of challenge to the risk and compliance func-
tion and the sanctions compliance framework. The DOJ has indicated that when assessing
201
compliance programmes generally, in the context of criminal proceedings, the following

three key questions should be asked:14
• Is the corporation’s compliance programme well designed?
• Is the programme being applied earnestly and in good faith?
• Does the corporation’s compliance programme work in practice?
These questions are equally relevant to the work of an independent audit function.
Why is a sanctions compliance programme important?

Regulators and enforcement agencies across the world have made it clear, through their
enforcement action, that failure to have a sanctions compliance programme in place will only
be to the detriment of the entity and be seen as an aggravating factor when sanctions viola-
tions are identified. In recent years we have seen substantial fines being imposed, particularly
in the United States, as a result of sanctions compliance failures. Organisations operating
only within the United Kingdom, however, should not seek comfort from the fact that most
of the significant enforcement in recent years has historically taken place in the United States,
as the UK enforcement agency, OFSI, has demonstrated via its enforcement against Standard
Chartered plc in 2020 that it is willing and able also to take substantive action.
Some key UK and US enforcement cases in the past two years that highlight the impor-
tance of sanctions compliance programmes include the following:
• Standard Chartered – OFSI15
• In February 2020, following a voluntary self-disclosure, Standard Chartered, a UK
based international bank, was fined a total of £20.47 million16 for identified sanctions
violations that arose as a result of the bank making funds available for a designated
person without a licence.17
• In summary, the bank granted a series of loans to Denizbank AS, a majority-owned
subsidiary of Sberbank, a Russian bank subject to restrictive measures under the UK/
EU Ukraine sanctions regime. The restrictions applied to Denizbank AS as it was a
majority-owned subsidiary of Sberbank.
• Within the notice imposing a monetary penalty, OFSI commented that firms have to
understand the prohibitions and requirements contained within sanctions legislation
and ensure that there are appropriate policies and processes in place to manage this
risk. It further commented that there should be appropriate risk-based compliance in
place to recognise the risks that arise across different jurisdictions and mitigate those
risks appropriately. The note on compliance within the notice makes it clear that
although OFSI does not mandate a particular standard of sanctions compliance, firms
should review their due diligence and compliance processes continually to ensure that
14 US Dep’t of Justice’s ‘Guidance on Evaluating Corporate Compliance Programs’ (issued in 2019 and updated in
June 2020).
15 See www.gov.uk/government/collections/enforcement-of-financial-sanctions.
16 Split across two fines of £7.69 million and £12.77 million. These fines were reduced by the Economic Secretary
of the Treasury from £11.9 million and £19.6 million originally imposed by OFSI.
17 Namely being in breach of Article 5(3) of EU Council Regulation 833/2014 and Regulation 3B of The Ukraine
(European Union Financial Sanctions) (No. 3) Regulations 2014.
202
breaches of sanctions are prevented, or recognised at an early stage so that appropriate

action can be taken.
• Standard Chartered – OFAC18
• Separately, in April 2019, OFAC reached a US$639 million settlement with Standard
Chartered over alleged violations of sanctions that were in place at the time in respect
of Myanmar and Sudan and the continuing sanctions in respect of Cuba, Iran and
Syria. These violations arose as a result of the bank engaging in US-dollar transactions
through the US financial system that breached the various sanctions regimes.
• The settlement agreement noted among aggravating factors that the bank’s sanctions
compliance programme was inadequate to manage risk and had multiple systemic
deficiencies, including a failure to respond to warning signs. As part of the settle-
ment agreement, Standard Chartered made a number of compliance commitments
following a comprehensive global remediation of its sanctions compliance programme,
highlighting the importance of such programmes to OFAC. These commitments
were all centred around the key components of a sanctions compliance programme,
as have been detailed in this chapter.
• British Arab Commercial Bank (BACB) – OFAC19
• In September 2019, OFAC reached a $228.84 million settlement with BACB
(suspended to US$4 million because of financial hardship), a commercial bank located
in London, as a result of violations of the US sanctions regime against Sudan. These
violations arose as a result of the bank engaging in US-dollar transactions through the
US financial system on behalf of Sudanese banks at a time when sanctions in respect
of Sudan remained in effect.
• Within the settlement agreement, various compliance commitments were made by
BACB, many of which related to improvements in internal controls. OFAC iden-
tified that policies and procedures should be relevant to the organisation, capture
day-to-day operations and procedures, be easy to follow and be designed to prevent
employees from engaging in misconduct. OFAC also noted that internal controls
should enable an organisation to ‘clearly and effectively identify, interdict, escalate
and report (within an organisation)’ activity that may give rise to sanctions violations.
• UniCredit – OFAC20
• In April 2019, OFAC announced that as part of a global US$1.3 billion settle-
ment with several US agencies, it had entered into settlement agreements totalling
US$611 million with various UniCredit Group banks. The settlements had arisen as
a result of violations of a number of US sanctions programmes by way of US-dollar
transactions being routed through the United States in a non-transparent manner.
• When the fine was published, the US Under Secretary for Terrorism and Financial
Intelligence stated: ‘These banks have agreed to implement and maintain commit-
ments to enhance their sanctions compliance. As the United States continues to
enhance our sanctions programmes, incorporating compliance commitments in
OFAC settlements is a key part of our broader strategy to ensure that the private
18 See https://home.treasury.gov/policy-issues/financial-sanctions/recent-actions/20190409.
19 See https://home.treasury.gov/policy-issues/financial-sanctions/recent-actions/20190917_33.
203
sector implements strong and effective compliance programmes that protect the US
financial system from abuse.’
• Union de Banques Arabes et Françaises (UBAF) – OFAC 21
• In January 2021, OFAC announced a $8,572,500 settlement with UBAF, a bank
based in France that concentrates on trade finance facilitation between Europe and
the Middle East, North Africa, sub-Saharan Africa, and Asia. Between 2011 and
2013, UBAF operated US-dollar accounts on behalf of sanctioned Syrian financial
institutions and indirectly conducted business on behalf of these institutions through
the US financial system using US dollars.
• The monetary penalty in this matter could have been much higher, however it was
mitigated in part due to UBAF having a compliance programme in place at the
time of the apparent violations and investing substantial resources into improving
said compliance programme. UBAF had adopted a new Financial Security Charter
and set up a Compliance Committee, provided in-person and e-learning training
for all employees and reviewed its business lines to terminate its relationships with
high-risk entities.
Actions taken by enforcement agencies in the past two years have highlighted the importance
of sanctions compliance programmes. If one is not in place or is not effective, enforcement
agencies will not hesitate in requiring one to be put in place as a condition of a settlement.
Being forced by a regulator or enforcement agency to strengthen a sanctions compliance
programme comes with a number of difficulties, including reputational damage and, in
serious cases, ongoing costs associated with future monitorship by enforcement agencies. It
is far better for an organisation to take the initiative and develop and implement a sanctions
compliance programme on its own terms to protect the business.
Adequate procedures
When faced with potential enforcement action, one of the key questions organisations should
be asking themselves is whether they had adequate procedures in place to prevent sanctions
violations. ‘Adequate procedures’ are not defined in any guidance but generally speaking they
are the measures an organisation has in place to mitigate the risk of sanctions violations.
They are the components of a sanctions compliance programme that have been dealt with in
this chapter.
It is entirely possible for an organisation to have adequate procedures in place and still
experience sanctions violations; no system is perfect. However, being in a position to demon-
strate to an enforcement agency such as OFAC or OFSI that your organisation had adequate
procedures in place may be the difference between a breach being found to be egregious or
not22 and will undoubtedly influence enforcement agencies when they consider whether the
violation has arisen from wilful or reckless conduct by the organisation and its employees.
Being able to demonstrate that adequate procedures were in place, albeit a violation still
occurred, could be significant in ensuring lower penalties.
21 See https://home.treasury.gov/policy-issues/financial-sanctions/recent-actions/20210104_33.
22 Which is relevant when OFAC determines base penalties – see https://www.ecfr.gov/cgi-bin/text-idx?SID=ccac94
aaa0387efe2a9c3fca2dc5a4ab&mc=true&node=ap31.3.501_1901.a&rgn=div9.
204
In this regard, the approach to a sanctions compliance programme is similar to that which
an organisation would take under the UK Bribery Act 2010 (UKBA). The UKBA provides a
defence23 to organisations if they are able to show that they had adequate procedures in place
designed to prevent an offence of bribery occurring. Guidance from the UK government24
indicates that establishing adequate procedures should be informed by six guiding principles:
• proportionate procedures;
• top-level commitment;
• risk assessment;
• due diligence;
• communication and training; and
• monitoring and review.
These are all areas that are relevant to an effective sanctions compliance programme and have
been detailed in this chapter. Where the approach differs is that although having adequate
procedures provides a defence against prosecution under the UKBA, the position is not as
clear in respect of sanctions violations that can still occur and be prosecuted (or have civil
action taken) even when adequate procedures were in place. Notwithstanding this, having
adequate procedures in place is a very significant form of mitigation in the context of
sanctions violations.
Consolidated compliance programmes

Sanctions compliance does not operate in isolation. It is one component of a business’s
financial crime compliance framework, albeit a sometimes tricky one to design and manage.
Sanctions due diligence closely aligns with that undertaken for the purposes of anti-money
laundering (AML) and anti-bribery compliance and it is often the case that these are under-
taken concurrently. Aligning relevant financial crime compliance programmes makes sense
not only from a practical point of view, but it also has financial advantages and enables a busi-
ness to mitigate its financial crime risk more effectively. Pulling together AML due diligence,
screening for politically exposed persons, anti-bribery due diligence and adverse media checks
means that an organisation is more likely to have a holistic view of the financial crime risks it
faces and those its customers pose.
Moreover, an organisation’s ability to articulate the potential risks a particular customer
or business partner poses across the whole financial crime risk matrix gives that organisation
a commercial advantage – it truly understands where its customers and business partners are,
where their main places of business are and, as a consequence, where they are likely to need
products and services that the organisation can provide; or products and services that must
be declined because of the potential increase in risk. Either way, the organisation is able to
properly assess the risks. When considering this risk assessment in the context of sanctions
compliance, organisations that have a mature consolidated approach to compliance will be at
a distinct advantage over those that approach risk management in a siloed manner.
23 UK Bribery Act 2010, Section 7.

24 See www.gov.uk/government/publications/bribery-act-2010-guidance.
205
In an increasingly complex geopolitical environment, the most successful businesses will

not only be those that know when to offer their products and services to clients, but also
those that know when to say no.
206
14
Sanctions Screening: Challenges and Control Considerations
Charlie Steele, Sarah Wrigley, Deborah Luskin and Jona Boscolo Cappon1
Background
Economic sanctions have evolved in complexity over time. Total embargoes were formerly
common, and were enacted to completely block trade with disfavoured countries. List-based
sanctions (also known as ‘smart’ sanctions) were later introduced, specifically targeting people
and entities rather than entire countries. The most well-known list-based sanctions are those
maintained by the US, published in the Office of Foreign Assets Control’s (OFAC) Specially
Designated Nationals and Blocked Persons (SDN) List.2 More finely targeted sanctions result
in fewer unintended collateral consequences than embargoes but are often more difficult to
comply with. Screening against targeted sanctions lists presents considerable challenges, given
the complex corporate structures used to obscure underlying sanctioned parties, the inherent
difficulties in name matching, and difficulties in screening for entities that are, directly or
indirectly, 50 per cent or more owned by sanctioned parties, under OFAC’s 50 Percent Rule.
A more recent example of increasing complexity are sanctions that address both entities
and their underlying activities. For example, the US sectoral sanctions3 introduced in 2014 in
response to Russia’s annexation of Crimea, target persons, companies and entities in speci-
fied sectors of the Russian economy (especially energy, finance and armaments), prohibiting
certain types of activity by US persons with individuals or entities operating in those sectors.
This new type of sanctions added another level of complexity to compliance; existing chal-
lenges in correctly identifying sanctioned parties were compounded by the requirement to
also understand the types of activities in which the targets were engaged.
1 Charlie Steele is a partner, Sarah Wrigley is a director and Deborah Luskin and Jona Boscolo Cappon are
associate directors at Forensic Risk Alliance.
2 https://home.treasury.gov/policy-issues/financial-sanctions/specially-designated-nationals-and-blocked-persons-l
ist-sdn-human-readable-lists.
3 https://home.treasury.gov/system/files/126/ukraine_eo3.pdf.
207
Sanctions screening failures have figured prominently in a number of OFAC penalty

settlements, with both financial and non-financial entities. To this end, we will review
current regulatory guidance for a successful sanctions screening programme, how screening
relates to the core elements of the overall sanctions compliance programme, examples of
enforcement actions focusing on screening failures, and screening in the context of a sanc-
tions investigation.
Regulatory expectations for sanctions screening

In the US, OFAC has not published detailed guidance regarding expectations for sanctions
screening programmes. Within the US Department of the Treasury’s 2019 ‘A Framework
for OFAC Compliance Commitments’ (the ‘Framework’),4 after addressing five high-level
elements for a sound sanctions compliance programme, it identifies 10 common root causes
of sanctions compliance failures. The sixth root cause addresses some of the failures that
occur due to poor configuration of sanctions screening software.5 The guidance mentions
some specific failings, including using outdated screening lists, incomplete data screening
and not accounting for alternative spellings of names. These are a few of the potential points
of failure when screening for possible sanctions violations, but there are several more that we
will discuss throughout this chapter.
In 2015, OFAC published a one-page guidance document regarding the management of
‘false hits’ lists.6 Pursuant to that guidance, where companies have determined that potential
sanctions match alerts can be disregarded as false positives and suppressed going forward to
avoid unnecessary review time, compliance personnel should be involved in oversight and
administration of the lists, and, among other things, the lists should be modified promptly
and as necessary to account for changes to sanctions lists.
In contrast to the limited guidance from OFAC, the New York Department of Financial
Services (NYDFS), which regulates financial institutions licensed within the state of New
York, has taken a more prescriptive stance as to sanctions screening programmes. NYDFS
had identified weaknesses in transaction monitoring and sanctions screening programmes
within regulated institutions. It attributed these failures to insufficient governance and
accountability at senior levels. As a result, NYDFS set out specific requirements for these
programmes7 that require Boards of Directors or Senior Officers to certify compliance on an
annual basis.8
The first compliance findings were due in April 2018 and required regulated institutions to:
4 https://home.treasury.gov/system/files/126/framework_ofac_cc.pdf.
5 VI. Sanctions Screening Software or Filter Faults: Many organisations conduct screening of their customers,
supply chain, intermediaries, counterparties, commercial and financial documents, and transactions in order
to identify OFAC-prohibited locations, parties, or dealings. At times, organisations have failed to update their
sanctions screening software to incorporate updates to the SDN List or SSI List, failed to include pertinent
identifiers such as SWIFT Business Identifier Codes for designated, blocked, or sanctioned financial institutions,
or did not account for alternative spellings of prohibited countries or parties – particularly in instances in which
the organisation is domiciled or conducts business in geographies that frequently utilise such alternative spellings
(i.e., Habana instead of Havana, Kuba instead of Cuba, Soudan instead of Sudan, etc.).
6 https://home.treasury.gov/system/files/126/false_hit.pdf.
7 Part 504 of the New York State Banking Regulations in 2017.
8 www.dfs.ny.gov/industry_guidance/transaction_monitoring.
208
• Undertake comprehensive and holistic assessments of their transaction monitoring and

sanctions filtering programs;
• Provide appropriate supporting evidence to demonstrate the effectiveness of the programs;
• Execute remedial efforts, material improvements, or redesigns to keep the programs in
compliance; and
• Implement governance processes for the annual certification.
At a more detailed level, each regulated institution must maintain a sanctions screening
programme that is reasonably designed to interdict transactions prohibited by OFAC and
that includes the following attributes:
• Be based on the risk assessment of the institution;

• Be based on technology, processes or tools for matching names and accounts, in each case
based on the institution’s particular risks, and transaction and product profiles;
• End-to-end, pre- and post-implementation testing of the Filtering Program, including,
as relevant, a review of data matching, an evaluation of whether the OFAC sanctions
list and threshold settings map to the risks of the institution, the logic of matching tech-
nology or tools, model validation, and data input and program output;
• Be subject to on-going analysis to assess the logic and performance of the technology
or tools for matching names and accounts, as well as the OFAC sanctions list and the
threshold settings to see if they continue to map to the risks of the institution; and
• Include documentation that articulates the intent and design of the Filtering Program
tools, processes or technology.
In addition, the sanctions screening programme must include:
• Identification of all data sources that contain relevant data;

• Validation of the integrity, accuracy and quality of data to ensure that accurate and
complete data flows through the Transaction Monitoring and Filtering Program;
• Data extraction and loading processes to ensure a complete and accurate transfer of data
from its source to automated monitoring and filtering systems, if automated systems
are used;
• Governance and management oversight, including policies and procedures governing
changes to the Transaction Monitoring and Filtering Program to ensure that changes
are defined, managed, controlled, reported, and audited;
• Vendor selection process if a third party vendor is used to acquire, install, implement, or
test the Transaction Monitoring and Filtering Program or any aspect of it;
• Funding to design, implement and maintain a Transaction Monitoring and Filtering
Program that complies with the requirements of this Part;
• Qualified personnel or outside consultant(s) responsible for the design, planning, imple-
mentation, operation, testing, validation, and on-going analysis of the Transaction
Monitoring and Filtering Program, including automated systems if applicable, as well
as case management, review and decision making with respect to generated alerts and
potential filings; and
209
• Periodic training of all stakeholders with respect to the Transaction Monitoring and
Filtering Program.
Although not all financial institutions are subject to these rules (and non-financial entities are
not within their scope), they provide a useful benchmark in evaluating whether a sanctions
screening programme has been designed well and is operating effectively.
In the UK, the Financial Conduct Authority’s (FCA) Financial Crime Guide addresses
compliance with sanctions and asset freezes.9 In the context of a risk assessment, a firm should
understand where sanctions risks reside, considering different business lines, sales channels,
customer types and geographical locations, and should keep the risk assessment current.
Examples of good practices related to sanctions screening include:
• where a firm uses automated systems, these can make ‘fuzzy matches’ (be able to identify
similar or variant spellings of names, name reversal, digit rotation, character manipula-
tion, etc.);
• the firm should screen customers’ directors and known beneficial owners on a
risk-sensitive basis;
• where the firm maintains an account for a listed individual, the status of this account is
clearly flagged to staff; and
• a firm should only place faith in other firms’ screening (such as outsourcers or intermedi-
aries) after taking steps to satisfy themselves that this is appropriate.
In addition to these examples of best practices, the Guide cites a £5.6 million fine by the
FCA’s predecessor against Royal Bank of Scotland (RBS) in 2010, where RBS failed to
adequately screen their customers and payments against the sanctions list, did not ensure its
‘fuzzy matching’ remained effective, and, in many cases, did not screen the names of directors
and beneficial owners of customer companies.
In addition to the OFAC, NYDFS and FCA regulatory guidance referenced above, the
Wolfsberg Group published ‘Guidance on Sanctions Screening’ in 2019.10 The guidance
indicates that sanctions screening should be supported by key enabling functions, such as
policies and procedures, a responsible person, a risk assessment, internal controls and testing.
These areas roughly correspond to the high-level pillars within OFAC’s Framework. In addi-
tion to Wolfsberg’s key enabling functions, the guidance also discusses principles for gener-
ating productive sanctions alerts, the need for metrics and reporting, independent testing and
validation, data integrity, and criteria used to develop screening technology in-house or to
select a vendor to provide such services.
How sanctions screening fits into the sanctions compliance programme

(SCP)
Sanctions screening does not operate in a vacuum; it is an integrated piece of the sanctions
compliance programme. In this section, we will describe some of the key elements of an
9 www.handbook.fca.org.uk/handbook/FCG.pdf.
10 www.wolfsberg-principles.com/sites/default/files/wb/pdfs/Wolfsberg%20Guidance%20on%20Sanctions%20
Screening.pdf.
210
effective sanctions screening programme in relation to the five high-level areas of compliance
articulated in OFAC’s Framework.
Governance and risk assessment

When an entity implements proper governance and oversight and performs a sanctions
risk assessment, there should be clear alignment between identified sanctions risks and the
sanctions screening programme configuration. If the sanctions risk assessment determines
that certain geographies, customers or products present significant sanctions risk, regulators
would expect to see that the relevant sanctions lists are utilised for screening and that there
are more stringent screening criteria applied in higher-risk areas.
For example, NYDFS requires that attributes for sanctions screening programmes address
links between the risk assessment and the screening programme configuration. Specifically,
the tools used to screen for sanctions exposure must be based on the risk assessment, config-
ured in a risk-based manner, tested to ensure they provide results in accordance with the
identified risks, and the entity must document links between risks identified and the configu-
ration of the sanctions screening programme. This is an important reminder that entities
should not implement software to address general sanctions risks; rather, they should identify
specific sanctions risks and then develop or procure software that sufficiently addresses those
identified risks.
Internal controls – due diligence

To properly screen for potential sanctions violations, proper due diligence must be performed.
During customer onboarding, the entity must obtain and verify key information to identify
the customer, including, but not limited to, name, alternate names, address, date of birth,
registration number and country of incorporation. These attributes are useful during subse-
quent sanctions screening as they help determine if a potential sanctions match is valid. The
entity should also understand ultimate beneficial ownership (UBO) information, key trading
partners, and supply chain information, where relevant. UBO information, in particular, is
relevant in determining if a person or company falls within the sanctions restrictions due to
their beneficial ownership of a sanctioned entity. Before processing transactions, the company
may need to understand the counterparty UBO, supply chain information, shipping informa-
tion, and M&A due diligence information, including UBOs, controllers, goods and services,
and origin of goods. If insufficient due diligence is performed during onboarding and before
transactions occur, it is difficult to have an effective sanctions screening programme in place
later, when necessary and relevant information is not present with which to identify potential
sanctions violations.
Internal controls – screening

Proper sanctions screening processes involve many controls. At a high level, we can consider
three distinct phases: (1) inclusion of complete and accurate information; (2) the logic behind
how matching occurs; and (3) how potential sanctions violations are evaluated.
The first consideration in sanctions screening is to determine if you have gathered all of
the relevant information. This often involves collating siloed data across different business or
product lines. It can also entail ensuring that all relevant information within those systems
211
is included in the population of data for screening. In several recent OFAC enforcement
actions, the agency noted absence of relevant data from the sanctions screening process.
• February 2021: BitPay, Inc., a digital currency business, settled with OFAC for
US$507,375 for processing payments for over five years, where they possessed Internet
Protocol (IP) data and some invoice information that indicated the customer was located
in a sanctioned jurisdiction, but did not utilise that information for sanctions screening
purposes.11 BitPay, Inc. screened the merchants, but not the end customers, against rele-
vant sanctions lists, even though they were in receipt of end-customer information. As
a result, customers with IP addresses or invoice information indicating origination in
Crimea, Cuba, North Korea, Iran, Sudan and Syria were able to make purchases from
merchants in the US and elsewhere using digital currency on BitPay’s platform.
• December 2020: BitGo Inc. settled with OFAC for US$98,830 for processing
digital currency transactions for customers with IP addresses in numerous sanctioned
jurisdictions.12
• December 2020: National Commercial Bank settled with OFAC for US$653,347 for
processing payments to sanctioned entities.13 One of the mitigating factors in deter-
mining the penalty included the future ‘required screening of all payments against inter-
national sanctions lists’.
• September 2020: Deutsche Bank Trust Company Americas settled with OFAC for
US$583,100 for processing Ukraine-related payments.14 There were several issues with
their screening software, but one in particular is that they did not include the SWIFT
Business Identifier Code (BIC) in their sanctions screening, which allowed payments to
be made to a designated financial institution.
• June 2019: Western Union settled with OFAC for US$401,697 because a bank in The
Gambia, serving as one of their principal master agents, used a sub-agent that was on
a sanctions list.15 Western Union had erroneously recorded the sub-agent as a location
of the master agent, rather than as a distinct legal entity. There was a process to screen
master agents and sub-agents, but they did not screen the location data for the sub-agents.
Because Western Union mistakenly believed that the Gambia-based company had oper-
ated out of a single location that had been closed, the sub-agent continued to serve as
sub-agent for another month.
• April 2019: Standard Chartered Bank settled with OFAC for US$639,023,750 for several
sanctions violations, including online and mobile banking platforms that, for many years,
did not include comprehensive sanctions screening.16
After all relevant information is gathered, the quality of the data must also be addressed. For
example, typing errors, non-standard inputs, blank values and inconsistent structure can all
impede effective sanctions screening.
11 https://home.treasury.gov/system/files/126/20210218_bp.pdf.
12 https://home.treasury.gov/system/files/126/20201230_bitgo.pdf.
13 https://home.treasury.gov/system/files/126/20201228_NCB.pdf.
14 https://home.treasury.gov/system/files/126/20200909_DBTCA.pdf.
15 https://home.treasury.gov/system/files/126/20190607_western_union.pdf.
16 https://home.treasury.gov/system/files/126/scb_settlement.pdf.
212
The second consideration is the configuration of the sanctions screening programme.

There are many areas to consider when defining the configuration, but we will focus on the
importance of an effective name screening process.
Sanctions screening can be performed against standing data within an entity or against
transactions. The most common type of sanctions matching is based on name screening,
determining if there is a match between the sanctions list entry and a company’s internal
information. This is performed, for example, during due diligence on new customers, when
due diligence is periodically refreshed, when transactions occur, and during M&A activity.
Name screening can generate both false-negative and false-positive matches.
False positives occur when names of non-sanctioned entities or individuals are incor-
rectly matched and flagged as sanctioned. Sanctions screening can reduce false positives and
validate matches by leveraging the many attributes included in sanctions lists for individuals,
companies, ships, airplanes and financial institutions. Sanctions lists typically contain several
different pieces of identifying information, such as aliases, street addresses, dates of birth,
nationalities, passport numbers, tax identification numbers, email addresses, corporate regis-
tration numbers, aircraft tail numbers, vessel registration identification numbers, website
addresses and digital currency addresses.
However, the risk of false negatives – that is, failure to identify a true match to a sanc-
tioned party – is much higher than the risk of false positives. A common problem occurs
when screening looks only for exact matches, and therefore misses a potential match due to
a slight variation in the name. Name variations can occur for a number of reasons, such as
the presence of hyphens, use of titles, punctuation, spelling errors, use of initials, acronyms,
name reversals, phonetic spellings, abbreviations and shortened names.
Language differences, phonetic transcriptions and transliteration from one alphabet or
writing system to another further complicate the landscape of name matching. For example, a
lack of standards for the spelling of Arabic names in Roman script introduces at least a dozen
name variations for the former Libyan leader Gaddafi, ranging from Qaddafi to Elkaddafi.
‘Fuzzy matching’ introduces flexibility in how the screening system matches names and
terms. For example, ‘Jon’ and ‘John’ might be considered equivalent in a fuzzy matching
system, particularly where the last name or date of birth is an exact match. However, the more
expansive the fuzzy match criteria become, the greater the risk that the company will become
inundated with false positives, which affects the effectiveness and efficiency of the screening
process as a whole.
Configuration of fuzzy matching is both art and science. There are many data analytic
methods to employ fuzzing matching, such as sound methods (which use algorithms to
turn similar sounding names into the same key to identify similar names), distance methods
(which measure the difference in characters between two names), statistical similarity methods
(which look at large datasets to train the model to find similar names) and hybrids of these
methods. A detailed analysis of the various methods is outside the scope of this chapter, but
the more important point is that there is a regulatory expectation that fuzzy matching will
be employed and continually fine-tuned to address each company’s unique environment and
sanctions risk.
In recent years, several OFAC enforcement actions have noted fuzzy match inadequacies,
including the following:
213
• September 2020: Deutsche Bank Trust Company Americas’ September 2020 settlement
with OFAC cited, among other things, the company’s complete lack of fuzzy matching
for names.17
• July 2020: Amazon.com Inc. settled with OFAC for US$134,523 for Amazon’s screening
processes, which did not flag orders with address fields containing an address in ‘Yalta,
Krimea’ for the term ‘Yalta,’ a city in Crimea, nor for the variation of the spelling of
Crimea.18 In another example, Amazon failed to interdict or otherwise flag orders shipped
to the Embassy of Iran located in third countries. Moreover, in several hundred instances,
Amazon’s automated sanctions screening processes failed to flag the correctly spelled
names and addresses of persons on OFAC’s SDN List.
• November 2019: Apple settled with OFAC for US$466,912 for failing to identify that
SIS, an App Store developer, was added to the SDN List and was therefore blocked.19
Apple later attributed this failure to its sanctions screening tool’s failure to match the
upper-case name ‘SIS DOO’ in Apple’s system with the lower-case name ‘SIS d.o.o.’ as
written on the SDN List. The term ‘d.o.o.’ is a standard corporate suffix in Slovenia iden-
tifying a limited liability company.
• October 2019: The General Electric Company settled with OFAC for US$2,718,581 for
accepting payments from an entity on the SDN List.20 The sanctioned entity was Cobalt
Refinery Company, or Corefco. The payments contained Cobalt’s full legal entity name
as it appears on OFAC’s SDN List as well as an acronym for Cobalt (‘Corefco’), but the
GE Companies’ sanctions screening software, which screened only the abbreviation of the
SDN’s name, never generated an alert on Cobalt’s name.
• November 2018: Cobham Holdings, Inc. settled with OFAC for US$87,507 for
screening software that failed to generate an alert against JSC AlmazAntey (as identified
on the SDN List) for payments made to Almaz Antey Telecommunications LLC.21 The
third-party screening software relied on by Cobham used an ‘all word’ match criteria that
would only return matches containing all of the searched words, even though Cobham
had set the search criteria to ‘fuzzy’ to detect partial matches. This meant that the soft-
ware failed to match ‘Almaz Antey’ when Cobham searched for ‘Almaz Antey Telecom.’
Almaz-Antey Telecommunications LLC was 51 per cent owned by the SDN.
• October 2018: OFAC issued a Finding of Violation to JPMorgan Chase Bank – formally
determining that the bank had committed violations, but declining to impose a monetary
penalty – because the bank’s screening software did not identify SDN-listed persons.22
From 2007 to October 2013, they used a vendor screening system that failed to identify
customers with potential matches to the SDN List. The system’s screening logic capabili-
ties failed to identify customer names with hyphens, initials, or additional middle or last
names as potential names. After transitioning to a new system in 2013, JPMC re-screened
17 https://home.treasury.gov/system/files/126/20200909_DBTCA.pdf.
18 https://home.treasury.gov/system/files/126/20200708_amazon.pdf.
19 https://home.treasury.gov/system/files/126/20191125_apple.pdf.
20 https://home.treasury.gov/system/files/126/20191001_ge.pdf.
21 https://home.treasury.gov/system/files/126/20181127_metelics.pdf.
22 https://home.treasury.gov/system/files/126/jpmc_10050218.pdf.
214
188 million clients’ records through the new system and reported the historical violations
to OFAC.
All of the enforcement examples described above show that failures as to completeness of
data and fuzzy matching can lead to ineffective sanctions screening and enforcement actions.
On a related note, one of OFAC’s and the UK’s Office of Financial Sanctions
Implementation’s (OFSI) ‘mitigating factors’ used to determine the final civil penalty amount
is the strength of an entity’s sanctions compliance programme, including the screening compo-
nent. OFAC gave mitigation credit to several companies that implemented or improved their
sanctions screening programmes after detecting violations, including the following:
• BitPay, Inc.’s February 2021 settlement with OFAC noted that the company’s changes to
its compliance programme included blocking of IP addresses that appear to originate in
sanctioned jurisdictions, including end-customer information in the screening process,
and launching a new customer identification tool for merchant’s buyers.23
• In a January 2021 settlement with OFAC, PT Bukit Muria Jaya procured sanctions
screening services from a third-party provider.24
• In a January 2021 settlement, OFAC noted that Union de Banques Arabes et Francaises
now utilises the sanctions screening software used by their largest shareholder, which
includes screening the client database, an anti-stripping module, negative news research,
risk database research, vessel screening and country screening.25
• BitGo, Inc.’s December 2020 settlement with OFAC noted that the company now
performs IP address blocking, as well as email-related restrictions for sanctioned jurisdic-
tions, and performs periodic batch screening, reviews of screening configuration criteria
on a periodic basis, screening all ‘hot wallets26‘ against the SDN List, including cryptocur-
rency wallet addresses identified by OFAC, and a retroactive batch screen of all users.27
• In a December 2020 settlement, OFAC noted that National Commercial Bank now
requires screening of all payments against international sanctions lists, and requires sanc-
tions checks during account openings.28
• Amazon.com Inc.’s July 2020 settlement with OFAC notes several improvements to
the company’s screening processes, including employment of internal and third-party
sources to conduct thorough reviews of Amazon’s automated screening systems to address
screening failures, incorporation of additional automated preventative screening controls,
development of internal custom screening lists to minimise the risk of processing transac-
tions that raise sanctions compliance concerns, and enhancement of its sanctioned juris-
diction IP blocking controls and implementation of automated processes to continually
update its mapping of IP ranges associated with sanctioned jurisdictions.29
23 https://home.treasury.gov/system/files/126/20210218_bp.pdf.
24 https://home.treasury.gov/system/files/126/20210114_BMJ.pdf.
25 https://home.treasury.gov/system/files/126/01042021_UBAF.pdf.
26 Cryptocurrency wallet that is online and connected in some way to the internet.
27 https://home.treasury.gov/system/files/126/20201230_bitgo.pdf.
28 https://home.treasury.gov/system/files/126/20201228_NCB.pdf.
29 https://home.treasury.gov/system/files/126/20200708_amazon.pdf.
215
• In its February 2020 OFAC settlement, Societe Internationale de Telecommunications

Aeronautiques SCRL implemented extensive remedial efforts and enhancements to its
customer and supplier screening.30
• In its June 2019 settlement with OFAC, Hotelbeds USA implemented an enhanced
third-party IT solution with a sanctions screening tool.31
Finally, it is important to note that the examples thus far have focused on identifying matches
for list-based sanctions targets. As noted above, there are other types of sanctions that are
more targeted and complex – for example, OFAC’s sectoral sanctions, which focus on enti-
ties and activities.32 In 2019, Haverly Systems, Inc. settled an OFAC enforcement action
for US$75,375 after it invoiced JSC Rosneft, a Russian oil company, to be payable within
90 days.33 The invoices were not paid within that time frame and this violated Directive
2 under the Russia sectoral sanctions, which prohibited dealing in new debt of greater than
90 days maturity. Similarly, Standard Chartered Bank was fined over £20 million by the UK’s
OFSI for loans with maturity over 30 days to specific entities as part of the Ukraine sanctions.34
Another example is the recent ban on US-person investment in Communist Chinese
Military Companies (CCMCs) on public exchanges; this involves identification of both the
investor (are they a US person?) and the activity (does this transaction involve investment in
or derivative of, or provide investment exposure to, securities in the 44 specified CCMCs?).35
As sanctions include more complex, targeted criteria, the methods needed to ensure compli-
ance likewise become more complex, in some cases requiring companies to flag both the
entity and the activity to determine if potential sanctions violations have occurred.
OFAC’s 50 Percent Rule adds an additional element to screening complexity. Under this
rule, the property and interests in property of an entity are blocked if the entity is owned,
directly or indirectly, 50 per cent or more by one or more persons whose property and inter-
ests in property are blocked.36 This rule means that screening may require tools that review
and assess an entity’s ownership structure, and do not just stop at a review against designated
parties’ lists.
The Wolfsberg Group’s sanctions screening guidance contains a discussion regarding the
assessment of which data elements to screen.37 Specifically, the guidance states:
Names of parties involved in the transaction are relevant for list based sanctions programmes,
whereas addresses are more relevant to screening against geographical sanctions programmes
and can be used as identifying information to help distinguish a true match from a false
match. Other data elements, such as bank identification codes, may be relevant for both list
30 https://home.treasury.gov/system/files/126/20200226_sita.pdf.
31 https://home.treasury.gov/system/files/126/20190612_hotelbeds_0_1.pdf.
32 https://home.treasury.gov/system/files/126/ukraine_eo3.pdf.
33 https://home.treasury.gov/system/files/126/20190425_haverly.pdf.
34 https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/
file/876971/200331_-_SCB_Penalty_Report.pdf.
35 https://home.treasury.gov/system/files/126/13959.pdf.
36 https://home.treasury.gov/system/files/126/licensing_guidance.pdf.
37 https://www.wolfsberg-principles.com/sites/default/files/wb/pdfs/Wolfsberg%20Guidance%20on%20
Sanctions%20Screening.pdf.
216
and geographically based sanctions programmes. In a sanctions context, some data elements
are more relevant when found in combination with other attributes or references. For
example, detection of sectoral sanctions risk typically requires detection of multiple factors,
such as those where both the targeted parties and the prohibited activities are involved.
Many controls may not be capable of detecting both factors simultaneously and, therefore,
may not be effective.
Internal controls – investigation

The third consideration is the evaluation process for potential sanctions violations. After
the potential violations are identified through the screening process, manual investigation
is required to determine whether there is a true match. If repeated alert closures due to
non-matches are obvious during the manual review, these repetitive false matches should be
incorporated into whitelists, to ensure that the names generating the false matches will not
trigger alerts going forward. However, it is important to note that those whitelists should be
reviewed each time changes are made to relevant sanctions lists. Relevant key controls within
this area include sufficient personnel to review sanctions alerts, policies and procedures
specifying how alerts are adjudicated and the relevant information that must be included,
and procedures for approval and communication of potential sanctions breaches to rele-
vant authorities.
Auditing
Evaluating the auditing component of the sanctions compliance programme involves three
key areas of focus with respect to screening. One is determining if the configuration of
automated screening tools is explicitly tied to the sanctions risk assessment. The second is
performing an independent evaluation of the software configuration and results. This can
be accomplished through an independent party that re-scans existing customers or transac-
tions to determine if they receive similar results. Finally, it is important to determine how
the company gains comfort over the outsourcing of any elements of the screening process.
Where the entity relies on external parties to provide timely updated sanctions lists, or to
screen against the lists and provide alerts, the company needs to confirm for itself whether or
not those results match the configuration.
Training
There are two key aspects to evaluating the training component of the sanctions compliance
programme as it relates to screening. The first is determining if those charged with managing
the sanctions screening process received specialised training that may include sanctions
evasion techniques, data analytic methods related to fuzzy matching, and language or cultural
training for understanding how names and punctuation differ between countries. The second
is incorporating information learned during the potential sanctions match process into the
sanctions training that is provided to the company widely. For example, after GE discovered
the alleged sanctions violations noted above, during testing and auditing of its compliance
217
programme, GE implemented remedial measures, including developing a training video for

employees using the violations as a case study.38
Sanctions screening in an investigation

A sanctions investigation can be initiated for a number of reasons, including an independent
evaluation of a company’s sanctions compliance programme, a tip from a whistle-blower,
an adverse audit or compliance finding, or a regulatory inquiry. As part of any sanctions
compliance investigation, the sanctions screening process and tools will require review. The
investigation should include:
• review of the due diligence performed and included in the screening process;
• review of the specific data subject to screening and its field mapping;
• independent evaluation of the current screening configuration, such as fuzzy match, in
a test environment to see if it is comparable to what the screening tool is supposed to
determine; and
• comparative analysis of search terms run through the existing screening tool against a
sanctions search engine to determine if any likely matches were missed over time.
Conclusion
Complete and accurate sanctions screening is a critical component of any successful sanctions
compliance programme. Many companies utilise automated sanctions screening tools to flag
potential sanctions matches for further review. Regulators expect proper oversight and effec-
tive use of these sanctions screening programmes, which is evidenced in the recent settlement
agreements for both financial and non-financial entities. While many entities focus on the
capabilities of a sanctions screening programme, it is important to remember that a successful
programme also requires proper oversight, a clear mapping between relevant sanctions risks
for the entity and the sanctions screening configuration, and regular review to ensure results
are complete, accurate and efficient.
38 See footnote 20, above.
218
15
Navigating Conflicting Sanctions Regimes
Cherie Spinks, Bruce G Paulsen and Andrew Jacobson1
Introduction
The ever-increasing globalisation of business means that many companies now operate to
some extent in two or more jurisdictions. This requires companies to be cognisant of trade
laws in other jurisdictions, in particular export control laws and sanctions regimes. When
those regimes conflict, or a jurisdiction’s laws apply extraterritorially, companies are left grap-
pling with decisions about whether it is lawful to proceed with transactions.2
This is particularly true of the sanctions regimes in place in the United States and the
European Union, which are the focus of this chapter. Measures imposed by each government
or body often follow a common policy objective and will typically be agreed collectively by
the United Nations Security Council. However, policy objectives sometimes diverge and
can be driven by regional political dynamics. This has been the case in the past in relation
to measures imposed by the United States on Cuba and the different approaches taken by
the United States and the European Union more recently in relation to the reimposition of
measures on Iran.
For those regimes in which the United States has implemented secondary sanctions, for
example Russia, even companies without a US presence may face punishment – in the form
of designation under those sanctions – for carrying on certain business contrary to the US’s
Russia sanctions. This is even the case for EU-based companies that are carrying on busi-
ness in compliance with the EU’s own Russia/Ukraine sanctions. We consider the effects of
secondary sanctions on non-US persons below.
For companies subject to both US and EU sanctions regimes, compliance with both is
complicated by the EU’s blocking legislation, which has recently been updated in light of the
1 Cherie Spinks is of counsel at Simmons & Simmonds LLP. Bruce G Paulsen is a partner and Andrew Jacobson is
an associate at Seward & Kissel.
2 Conflicts of law issues involving China and Hong Kong are dealt with in Chapters 11 and 12 of this Guide.
221
US’s position on Iran.3 We discuss the background to, and application and enforcement of,
the blocking legislation below.
This chapter also considers the US anti-boycott laws and provides guidance on advising
clients on managing conflicting regimes in that context. The conduct of risk assessments, due
diligence and approaches to contractual sanctions clauses are also covered.
Following the UK’s withdrawal from the EU, the UK’s autonomous sanctions regime has
emerged creating potential further conflicts for businesses operating globally. We comment
at the end of this chapter on the UK’s blocking provisions following Brexit.
Blocking regulation
Historical perspective
The United States has historically embraced embargoes and economic sanctions to facilitate
its foreign policy objectives, including when confronted by the competing foreign policy
interests of Europe and other world powers. Notably, in the late 1970s, the United States
enacted the Export Administration Act of 1979 (the EAA), which provided the President
with broad authority over US exports.4
The Reagan Administration used the EAA’s power over US exports to confront the Soviet
Union’s interests during the Cold War. Specifically, the Reagan Administration deployed an
economic embargo5 to target the construction of a Europe–Siberia pipeline, fearing that the
Soviets would use it to leverage support from western Europe and strengthen its military
3 In January 2019, the E3 (the governments of France, Germany and the United Kingdom) established a special
purpose vehicle, the Instrument in Support of Trade Exchanges [INSTEX], designed to facilitate legitimate
trade between European businesses and Iran to mitigate the effect of the US Iran sanctions. INSTEX creates
a ledger that offsets balances between its members (which also now include Belgium, Denmark, Finland, the
Netherlands, Norway and Sweden) when goods are traded – the intention being that payments will only be
made between the businesses importing and exporting from Iran, with no transfer of US dollars to Iran from
the European Union. On 31 March 2020, the UK government confirmed that the first transaction had been
completed on INSTEX (see www.gov.uk/government/news/instex-successfully-concludes-first-transaction).
4 Export Administration Act of 1979, Pub. L. No. 96-72, 93 Stat. 503 (1979) [EAA]. Specifically, the EAA
provided the President with authority to ‘prohibit or curtail the exportation of any goods, technology, or other
information subject to the jurisdiction of the United States, to the extent necessary to further significantly the
foreign policy of the United States or to fulfil its declared international obligations’. id., § 6(a)(1).
5 The US trade embargo required US companies to obtain a licence before exporting certain commodities and
technologies relating to oil and gas transportation to the Soviet Union, and the restrictions were eventually
expanded to include the dissemination of goods and technology by European-based subsidiaries and licensees of
American businesses. See Patrizio Merciai, ‘The Euro-Siberian Gas Pipeline Dispute – A Compelling Case for
the Adoption of Jurisdictional Codes of Conduct’, 8 Maryland J. of Int’l L. 1, 11-12 (1984); Jae-Seung Lee and
Daniel Connolly, ‘Pipeline Politics between Europe and Russia: A Historical Review from the Cold War to the
Post-Cold War’, 14 Korean J. of Int’l Studies [Lee and Connolly] 105, 111 to 113 (April 2016); Joseph Roussel,
‘The Pipeline Revisited’, 21 Gov. & Opposition [Roussel] 218, 219 (Spring 1986); Sarah J Cogswell, ‘In the Wake
of the Pipeline Embargo: European-United States Dialogue’, 12 Fla. St. U.L. Rev. [Cogswell] 73, 78 (Spring
1984); Gary H Perlow, ‘Taking Peacetime Trade Sanctions to the Limit: The Soviet Pipeline Embargo’, 15 Case
W. Reserve J. of Int’l L. 253, 253, 254 (1983).
222
interests.6 Despite the US’s efforts to curtail Soviet influence, the embargo was short-lived
and by the winter of 1982, it was repealed, due in large part to European protests.7
Similar to the US’s efforts to curtail Soviet influence in Europe during the Cold War,
the Cuban Liberty and Democratic Solidarity (Libertad) Act of 1996 (known as the
Helms-Burton Act) was enacted in an effort to rectify US nationals whose property was
confiscated by the Cuban Government following the Cuban revolution, and deter foreign
companies from establishing economic relations with Cuba.8 Notably, the Helms-Burton
Act’s most significant provision was the authorisation for US nationals to sue companies or
individuals that had confiscated or trafficked in confiscated property from Cuba.9
The Helms-Burton Act has a renewed relevance today. Although it is not a formal
economic sanctions programme, it certainly has affected US and foreign companies that have
previously done business in Cuba and with the Cuban government, and those that seek to
do so in the future.
US secondary sanctions
In the mid 1990s, the United States continued to implement economic sanctions targeting
non-US companies and individuals who did business in countries hostile to the United States.
In 1996, for example, the United States enacted the Iran and Libya Sanctions Act of 1996
(now known as the Iran Sanctions Act), the aim of which is to deter investment by non-US
companies in Iran and Libya by imposing sanctions on companies and individuals that made
investments contributing to Iran’s or Libya’s petroleum sectors. Like the Trans-Siberian pipe-
line embargo and the Helms-Burton Act, the Iran Sanctions Act was condemned as ‘extra
territorially’ illegal and a violation of international law by many of the US’s trading partners.10
The Iran Sanctions Act opened the door for more expansive secondary sanctions and
the United States continued that trend into the twenty-first century, including with imple-
mentation of the Comprehensive Iran Sanctions, Accountability, and Divestment Act of
2010 (secondary sanctions targeting Iran’s energy sector and foreign financial institutions
6 See Lee and Connolly (footnote 5, above), at 112.

7 See Emmanuel Mourlon-Druol and Angela Romano, ‘The Iran nuclear deal crisis: Lessons from the
1982 transatlantic dispute over the Siberian gas pipeline’, at www.bruegel.org/2018/05/the-iran-nuclear-deal-crisi
s-lessons-from-the-1982-transatlantic-dispute-over-the-siberian-gas-pipeline/ (23 May 2018); Roussel (footnote
4, above), at 221; Cogswell (footnote 4, above), at 79.
8 Named after its original sponsors Senator Jesse Helms (North Carolina – R) and Representative Dan Burton
(Indiana – R), the Helms-Burton Act was signed into law on 12 March 1996, shortly after Cuban fighter jets
shot down two private planes operated by a Miami-based humanitarian organisation flying over international
waters. See David M Shamberger, ‘The Helms-Burton Act: A Legal and Effective Vehicle for Redressing U.S.
Property Claims in Cuba and Accelerating the Demise of the Castro Regime’, 21 B.C. Int’l & Comp. L. Rev. 497,
497, 500 (1998); Jeffrey A Meyer, ‘Second Thoughts on Secondary Sanctions’, 30 U. Pa. J. Int’l L. [Meyer] 905,
928 (2014).
9 Helms-Burton Act, Title III provides for a private right of action, whereby US nationals can bring suit in
federal court against any person that traffics in property confiscated by the Cuban government on or after
1 January 1959. 22 U.S.C. § 6082. Title III’s private right of action had been suspended by each US presidential
administration since 1996, although the underlying causes of action were permitted to accrue. However, on
2 May 2019, despite the Obama Administration’s efforts to ease relations with Cuba, the Trump Administration
declined to extend the suspension of Title III.
10 See Meyer (footnote 8, above), at 929.
223
that engage in certain transactions with Iran), Countering America’s Adversaries Through
Sanctions Act in 2017 (secondary sanctions against Russia, North Korea and Iran), and the
US’s withdrawal from the Joint Comprehensive Plan of Action (JCPOA) in 2018, which
reimposed many of the secondary sanctions against Iran that had been paused as a result
of the Iran nuclear deal. In short, despite the challenges posed by the blocking laws of the
European Union and the opposition of other government bodies, the United States has
continued to implement and enforce sanctions targeting non-US companies and individuals
that transact with countries hostile to the US’s foreign policy interests.
The EU Blocking Regulation

Council Regulation (EC) No. 2271/96 (the Blocking Regulation) was adopted by the
European Union in 1996 following enactment of the Iran Sanctions Act by the US govern-
ment. Its purpose is to protect EU persons against the effects of the extraterritorial applica-
tion of legislation adopted by a third country that damages the interests of the European
Union (in reality, currently, only the United States). In an interpretative note, the European
Union explains that protection under the Blocking Regulation concerns ‘international trade;
and/or the movement of capital; and related commercial activities between the EU and
non-EU countries’.11
When first adopted, the Blocking Regulation was designed to counteract the US economic
sanctions against Cuba, Libya and Iran (as described above). The relevant US measures are
set out in the Annex to the Blocking Regulation and these were extended in June 2018 to
include additional US sanctions on Iran following US withdrawal from the JCPOA.12
The Blocking Regulation applies to:
• any natural person being a resident in the European Union and a national of a
Member State;
• any legal person incorporated within the European Union;
11 ‘Effects of foreign legislation on the EU’s financial interests’, at https://eur-lex.europa.eu/legal-content/EN/TXT/

HTML/?uri=LEGISSUM:l24400.
12 Commission Delegated Regulation (EU) 2018/1100 amends the Annex to the Blocking Regulation. It came
into force on 6 August 2018 to coincide with expiry of the first of two wind-down periods put in place following
reintroduction of nuclear-related sanctions against Iran by the United States. The Blocking Regulation now
blocks: (1) National Defense Authorization Act [NDAA] for Fiscal Year 1993, Title XVII Cuban Democracy
Act 1992, Sections 1704 and 1706; (2) Cuban Liberty and Democratic Solidarity Act of 1996; (3) Iran
Sanctions Act of 1996; (4) Iran Freedom and Counter-Proliferation Act of 2012; (5) NDAA for Fiscal Year 2012;
(6) Iran Threat Reduction and Syria Human Rights Act of 2012; and (7) Iranian Transactions and Sanctions
Regulations. It is possible that the Blocking Regulation could be extended to apply to additional measures.
For example, if work on the Nord Stream II pipeline resumes, consistent with previous indications (e.g., on
25 June 2020, Josep Borrell (High Representative and Vice President of the European Commission); www.
europarl.europa.eu/doceo/document/E-9-2020-001783-ASW_EN.html), the EU may take steps to counteract
possible US sanctions (see NDAA for Fiscal Year 2020, Title LXXV, Section 7503, Protecting Europe’s Energy
Security Act of 2019). Additionally, the US enacted further restrictions regarding Nord Stream 2 in the National
Defense Authorization Act for Fiscal Year 2021, which amended Section 7503 of the Protecting Europe’s Energy
Security Act of 2019 (PEESA). These new restrictions target foreign persons that support pipe-laying activities,
such as providing underwriting services, insurance or reinsurance for vessels engaged in pipe-laying activities,
among other restrictions. See 2021 NDAA, Section 1242.
224
• any national of a Member State established outside the European Union and any ship-
ping company established outside the European Union and controlled by nationals of
a Member State, if their vessels are registered in that Member State in accordance with
its legislation;
• any other natural person being a resident in the European Union, unless that person is in
the country of which he or she is a national; and
• any other natural person within the EU, including its territorial waters and air space and
in any aircraft or on any vessel under the jurisdiction or control of a Member State, acting
in a professional capacity.13
In August 2018, the European Commission (the Commission) sought to clarify the posi-
tion of EU subsidiaries of US companies and subsidiaries of EU companies in the United
States.14 Subsidiaries of US companies that have their registered office, central administration
or principal place of business within the European Union are considered to be ‘EU operators’
and therefore subject to the EU Blocking Regulation. This is not the case for EU branches of
US companies since they do not have distinct legal personality from their parent company.15
Nor is it the case for US-based subsidiaries of EU companies that will be subject to the law
under which they are incorporated (i.e., generally US law). Their parent companies will of
course be EU operators and therefore subject to the provisions of the Blocking Regulation.
The main provisions of the Blocking Regulation are as follows:
• EU operators are prohibited from complying, actively or by deliberate omission, with any
requirement or prohibition specified in the measures set out in the Annex.16 However,
EU operators may be authorised by the Commission to comply fully or partially with any
of the legislation set out in the Annex if to do otherwise would seriously damage their
interests or those of the European Union.17
• No decisions of non-EU courts, tribunals or administrative authorities giving effect to the
measures set out in the Annex or any actions based thereon or resulting therefrom shall be
recognised or enforceable within the European Union.18
• If the economic or financial interests of any EU operator are affected by the legislation
set out in the Annex (or by actions based thereon or resulting therefrom), they must
inform the Commission (or their own competent sanctions authority) within 30 days
13 Collectively referred to as EU operators – see Article 11 of Council Regulation (EC) No. 2271/96

[Blocking Regulation].
14 See ‘Guidance Note: Questions and Answers: adoption of update of the Blocking Statute’ (2018/C 277 I/03)
[EU Guidance Note], Question 21.
15 Although employees working at an EU branch who are EU nationals would need to comply with the
Blocking Regulation.
16 Blocking Regulation, Article 5.
17 id., at Articles 5, 7 and 8. The EU Guidance Note (Question 16) makes clear that ‘not every nuisance or damage
suffered by EU operators will entitle them to obtain an authorisation. This is a consequence of the fact that the
Union does not accept that the listed extra-territorial legislation should govern the conduct of EU operators in its
territory, and the possibility to do so remains an exception. . . . The authorisation procedure should not be used
in order for EU operators to seek so-called “letters of comfort” from the Commission’.
18 id., at Article 4. The EU Guidance Note (Question 4) states that, in addition, ‘no decision requiring, for
instance, seizure or enforcement of any economic penalty against an EU operator based on the aforementioned
acts will be executed in the EU’.
225
of the date on which they obtain that information.19 The reporting obligation applies to
directors, managers and other persons with management responsibilities. In addition, the
Commission has the power to request additional information.
• Penalties for non-compliance with the Blocking Regulation are to be imposed by each
Member State. Article 9 requires that any such sanctions ‘must be effective, proportional
and dissuasive’.
The terms of the Blocking Regulation are unclear in a number of ways; for example, in respect
of the prohibition on European companies from ‘complying’ with the measures set out in
the Annex. In this context, ‘complying’ might be interpreted to mean that business should be
conducted in line with the requirements of the relevant measures. Does this therefore mean
that European businesses are prohibited from actively deciding that they should not do busi-
ness in Iran or Cuba because to do otherwise might suggest that they are complying with
US economic sanctions? In the EU Guidance Note, the Commission’s response is as follows:
EU operators are free to conduct their business as they see fit in accordance with EU law and
national applicable laws. This means that they are free to choose whether to start working,
continue, or cease business operations in Iran or Cuba, and whether to engage or not in an
economic sector on the basis of their assessment of the economic situation. The purpose of
the Blocking Statute is exactly to ensure that that [sic] such business decisions remain free,
i.e., are not forced upon EU operators by the listed extra-territorial legislation, which the
Union law does not recognise as applicable to them.20
The impact of the ‘extraterritoriality’ of the US legislation creates another area of uncertainty.
Since the purpose of the Blocking Regulation is to counteract the extraterritorial effect of
the measures specified in the Annex, the prohibition under Article 5 will apply only to the
extent that measures apply extraterritorially to EU operators. Determining this will largely
be a question of fact. In addition, it is unclear whether the Article 5 prohibition applies to
US secondary sanctions as well as primary sanctions. US primary sanctions typically apply to
entities and individuals that have a US nexus (e.g., US persons, companies organised under
the laws of the United States, those using the US financial system, among others), while
secondary sanctions are intended to target entities and individuals, regardless of their connec-
tions to the United States (e.g., companies organised in foreign jurisdictions, individuals not
located in, or citizens of, the United States, among others). Given that primary sanctions
do not typically apply extraterritorially therefore to EU companies (with the exception of
EU-incorporated subsidiaries of US companies), it might be concluded that primary sanc-
tions are not within scope of the Blocking Regulation and, therefore, EU companies are free
to conduct their affairs in line with those sanctions if they so desire. However, the Blocking
Regulation and the EU Guidance Note do not provide clarity either way on this matter.
19 id., at Article 2.
20 EU Guidance Note – Questions and Answers: adoption of update of the Blocking Statute, Question 5.
226
Enforcement and penalties

Local transposition of the Blocking Regulation by Member States is varied. Some have imple-
mented criminal penalties for breach of the provisions (e.g., while a member of the EU,
the United Kingdom)21 and others have imposed administrative penalties (e.g., Germany).22
Others have not transposed the Blocking Regulation directly into national law (e.g., France).
The risk of enforcement action being taking for breach of the Blocking Regulation
(or local law equivalent) will vary between Member States. However, enforcement risk is
generally perceived to be low.23 This may be, in part, as a result of the legal uncertainties
surrounding the terms of the Blocking Regulation.24 It may also be that enforcement agen-
cies acknowledge that for some companies, principally EU-incorporated subsidiaries of US
companies, they will be caught between ‘a rock and hard place’ when deciding whether to
comply with the relevant US sanctions or the terms of the Blocking Regulation. Taking into
account varying enforcement risks between the European Union and the United States, many
companies are likely to opt to comply with US sanctions, if relevant, given the much higher
level of enforcement risk for sanctions breaches in the United States.
It is perhaps more likely that EU operators who decide to end business with Iranian or
Cuban counterparties may be subject to civil claims by those parties for losses caused as a
result of their decisions to terminate existing contractual arrangements.
For example, Bank Melli Iran commenced proceedings against Telekom Deutschland
GmbH in Germany following issuance of notice to terminate existing contractual arrange-
ments by the telecommunications company against a German branch of the bank. The
termination notice was issued subsequent to the designation by the Office of Foreign Assets
Control (OFAC) of Bank Melli Iran on the List of Specially Designated Nationals (SDNs)
and Blocked Persons (the SDN List) in 2018. The bank claims that notice to terminate the
contracts was issued in breach of Article 5 of the Blocking Regulation as it was issued in
purported compliance with US secondary sanctions on Iran. On 2 March 2020, the German
court made a request to the EU Court of Justice for a preliminary ruling on interpretation of
Article 5.25 It includes seeking a ruling on whether Article 5 only applies if an EU operator is
issued directly or indirectly with an official or court order of the United States, or whether it
21 Extraterritorial US Legislation (Sanctions against Cuba, Iran and Libya) (Protection of Trading Interests) Order
1996, Article 2.
22 The German Foreign Trade and Payments Ordinance.
23 Only one enforcement case has been reported. In 2007, an Austrian Bank (BAWAG) was subject to
administrative proceedings for breaching the Blocking Regulation following closures of accounts held by
Cuban nationals. The bank allegedly closed the accounts to facilitate its acquisition by a US private equity firm.
Proceedings were ultimately dropped following reinstatement of the customers’ accounts.
24 The Commission has acknowledged that EU operators might decide not to engage in certain activities as a result
of commercial business considerations rather than to comply with US legislation, and furthermore that it will
not usually be possible to establish that the decision is as a direct result of US legislation rather than commercial
considerations (answer given by Vice President Mogherini to parliamentary questions E-007804/2014 on
1 April 2015).
25 Case C-124/20, at http://curia.europa.eu/juris/showPdf.jsf?text=&docid=225701&pageIndex=0&doclang=en&
mode=lst&dir=&occ=first&part=1&cid=833930.
227
is sufficient for its application that the action of the EU operator is predicated on compliance
with secondary sanctions. A ruling is yet to be made.26
Separately, Article 6 of the Blocking Regulation provides that any EU operator shall be
entitled to recover any damages and legal costs caused to that person by the application of
the laws specified in the Annex. This provision is broad and leaves open the possibility that a
claim could, for example, be made against the US government for losses caused.27
Despite the restrictions imposed by blocking measures enacted by the European Union
and others, OFAC has not indicated an interest in easing enforcement for US companies or
their foreign subsidiaries that operate in sanctioned jurisdictions. In fact, OFAC’s Framework
for Compliance Commitments, issued in May 2019, does not reference the Blocking
Regulation, and US authorities take the view that companies whose transactions have a nexus
to the United States must abide by US sanctions, regardless of the local restrictions that
companies or individuals might have.28
Drafting contractual provisions

Drafting robust sanctions compliance provisions is crucial to the effective performance of
contracts particularly in financing and trade arrangements. The strength of these provisions
will vary depending on the sanctions risk (both present and future) to a particular arrange-
ment or transaction. Difficulties will arise when multiple jurisdictions and conflicting sanc-
tions regimes are involved.
Even more challenging is the need to proof contracts from the risk that they might
include terms that imply an obligation to comply with sanctions legislation imposed by third
countries. For example, the English courts have held that a non-default clause in an agree-
ment governed by English law including the words ‘mandatory provision of law’ was wide
enough to include both primary and secondary US sanctions in circumstances where neither
party to the agreement was a US person, nor did the transaction have a US connection.29 This
enabled a party to suspend payments under the agreement.
26 A hearing was scheduled for 23 February 2021.

27 The EU Guidance Note leaves open that possibility (see Question 13: ‘From whom can EU operators claim
compensation for those damages? Can EU operators sue the US authorities to recover damages?’).
28 The US government has made extradition requests for EU individuals alleged to have breached US sanctions.
How these requests are treated by EU jurisdictions varies. For example, (while a member of the EU) English
courts have determined that the double criminality requirement necessary for an extradition order to be
made has been met notwithstanding that there has been no breach of EU sanctions (for example, the cases of
Christopher Tappin (2012) and Ahmad Feras Diri (2015) who were extradited to the US in respect of illegal
exports to, respectively, Iran and Syria). More recently, the Blocking Regulation was raised as a possible bar
to extradition. In April 2020, the Dutch Supreme Court held that the Regulation did not protect an Iranian
national from extradition to the US since his alleged conduct was determined to also give rise to a breach of
EU sanctions on Iran (see ECLI:NL:HR:2020:623). The individual had argued that the Article 4 provisions
of the Blocking Regulation (no judgment of a court outside the EU giving effect to a blocked measure
shall be recognised within the EU) ought to prevent an indictment of a federal grand jury in the District of
Columbia, US.
29 Lamesa Investments Ltd v. Cynergy Bank Ltd [2020] EWCA Civ 821. In this case, the Court of Appeal
upheld a declaration made by the High Court that permitted Cynergy Bank (a UK company) to rely on a
‘non-default’ clause in a facility agreement [the Agreement] between the parties if Cynergy failed to make loan
repayments in compliance with any ‘mandatory provision of law’. US Department of the Treasury’s Office
228
In addition, it is vital that parties do not breach the terms of the Blocking Regulation
by agreeing to comply with relevant US measures (as set out in the Annex to the Blocking
Regulation). Typically, agreements will require parties to confirm that they have not, and
will not, breach relevant sanctions. If a US person is involved in such an agreement, relevant
sanctions will be defined to include US sanctions and limits will be placed on dealing with
persons designated by OFAC under those sanctions.30 Article 5 of the Blocking Regulation
could be interpreted widely to mean that compliance with such terms amounts to ‘complying’
under Article 5.31
To work around the implications of the Blocking Regulation, contractual parties often
carve out the terms of that Regulation from an obligation to comply with US sanctions.
In those circumstances, a compliance with sanctions clause would not be applicable to the
extent that is inconsistent with the Blocking Regulation.
German nationals (legal and natural) are prohibited from issuing or participating in a
boycott declaration.32 Terms that define the breach of a sanctions clause as an event of default
under the contract might also fall foul of the anti-boycott legislation since the party in breach
would suffer adverse consequences. German contractual parties therefore typically seek to
include a carve out from compliance with sanctions that are inconsistent with the terms of
the anti-boycott legislation and that either opt in or opt out of particular terms.
An alternative approach is for contractual parties to limit terms relating to compliance
with sanctions to the facts of a specific transaction. For example, it may not be necessary for
parties to agree to continuing compliance with US sanctions on Iran if they carry out no
business in Iran or with Iranian parties. When permitting a counterparty to adopt such an
approach, it is recommended that due diligence is undertaken, for example, to obtain a clear
understanding of the counterparty’s business, likely use of funds (in a financing arrangement)
and to determine the legal possibility and risk of that party breaching US sanctions.
of Foreign Assets Control [OFAC] designated Lamesa’s ultimate beneficial owner as a specially designated
national [SDN], meaning that Lamesa fell within the scope of US secondary sanctions. Cynergy refused to
make repayments under the Agreement, as continuing to do so carried a risk that Cynergy itself might be
sanctioned as the payments might be categorised as a ‘signification financial transaction’ with a US-sanctioned
entity. The Agreement did not expressly define US secondary sanctions within scope of the term ‘a mandatory
provision of law’; however, Cynergy argued that they were and therefore an implied obligation could be read
into the Agreement not to knowingly facilitate significant financial transactions on behalf of a secondary
sanctioned entity. Among other things, Lamesa argued that US secondary sanctions had no legal effect in the
United Kingdom and therefore Cynergy faced exposure to penalties or the risk that it could become subject to
sanctions itself.
30 Consistent with comments made earlier in this chapter, it is possible that agreement to comply with US primary
sanctions would not fall foul of Article 5 since US primary sanctions do not typically apply to EU operators.
31 However, the English High Court in Mamancochet Mining Ltd v. Aegis Managing Agency Ltd & Ors [2018]
EWHC 2643 (Comm) stated on an obiter basis that the Blocking Regulation was not engaged if an insurer’s
liability to pay a claim was suspended under a sanctions clause, as an insurer was not ‘complying’ with a third
country’s prohibition, but was simply relying on the terms of the policy to refuse payment of a claim.
32 German Foreign Trade and Payment Act, Section 7. Sanctions imposed by the United Nations, European Union
or German government are outside the prohibition.
229
US anti-boycott laws
Overview
The current iteration of the US’s anti-boycott laws were first enacted in the middle to late
1970s with the Ribicoff Amendment to the Tax Reform Act of 1976 (TRA) and the EAA.
Both statutes were enacted in response to the Arab League’s boycott of Israel, although neither
explicitly referenced Israel or the Arab League’s boycott. The US Department of Commerce’s
Bureau of Industry and Security (BIS) administers and enforces the EAA’s anti-boycott provi-
sions through the Export Administration Regulations (EAR), while the US Department of
the Treasury is responsible for administering and enforcing the TRA’s anti-boycott provisions,
which are contained in Section 999 of the Internal Revenue Code.33
Applicability
The EAR’s anti-boycott restrictions apply to the activities of US persons that do business
in the interstate or foreign commerce of the United States.34 The EAR defines ‘US person’
as ‘any person who is a United States resident or national, including individuals, domestic
concerns, and “controlled in fact” foreign subsidiaries, affiliates, or other permanent foreign
establishments of domestic concerns’.35
Similarly, the anti-boycott provisions of the TRA, which are contained in Section 999 of
the Internal Revenue Code, apply to any US person, defined as a citizen or resident of the
United States, a domestic partnership, a domestic corporation, any estate (other than a
foreign estate), and any trust subject to US supervision or control.36
33 In 2018, Congress enacted the Export Control Reform Act and the Anti-Boycott Act of 2018, which provided
permanent statutory authority for the Export Administration Regulations [EAR]. See NDAA for Fiscal Year
2019, P.L. No. 115–232 (21 August 2018); see also 50 U.S.C. §§ 4812, 4841 to 4843. Recently, the Treasury
Department removed the United Arab Emirates (UAE) from its current list of countries that require or may
require participation in, or cooperation with, an international boycott within the meaning of Section 999(b)
(3) of the Internal Revenue Code. See Federal Register Notice, U.S. Department of the Treasury (April 8,
2021), at www.federalregister.gov/documents/2021/04/08/2021-07244/list-of-countries-requiring-coop
eration-with-an-international-boycott.
34 Examples of ‘interstate or foreign commerce’ of the United States include the sale, purchase or transfer of goods
or services (including information) between two or more states, any state and any territory or possession of the
United States, two or more territories or possessions of the United States, or a state, territory or possession of the
United States and any foreign country. See 15 C.F.R. § 760.1(d)(1), Guidance (1).
35 15 C.F.R. § 760.1(b). However, the concept of ‘US person’ does not include an individual US national who is a
resident outside the United States and who is either employed permanently or temporarily by a non-US person
or assigned to work as an employee for, and under the direction and control of, a non-US person. 15 C.F.R.
§ 760.1(b)(v)(4). The definition of ‘US person’ under the EAR is therefore narrower than the concept under the
US’s economic sanctions laws, regulations and executive orders, which typically define US persons to include
US citizens, regardless of whether they are located within or outside the United States. In short, the EAR applies
to US residents and nationals, including those travelling outside the territory, but US residents and nationals that
are employed by non-US persons are generally exempted from the EAR’s anti-boycott requirements.
36 See 26 U.S.C. § 7701(a)(30); Issuance of New Boycott Guidelines, 43 Fed. Reg. 3454 (25 January 1978).
Unlike the EAR, the Tax Reform Act of 1976 generally applies to any US taxpayer or member of a controlled
group, including a foreign subsidiary with more than half of its shares owned by a US parent company, and its
consequences are not restricted by a US commerce test. See 26 U.S.C. §§ 999(a)(1), 993(a)(3), 1563(a).
230
Prohibitions
The EAR prohibits a wide range of conduct relating to unauthorised boycotts. Specifically,
US persons may not:
refuse, knowingly agree to refuse, require any other person to refuse, or knowingly agree to
require any other person to refuse, to do business with or in a boycotted country, with any
business concern organized under the laws of a boycotted country, with any national or
resident of a boycotted country, or with any other person, when such refusal is pursuant to
an agreement with the boycotting country, or a requirement of the boycotting country, or a
request from or on behalf of the boycotting country.37
In addition, US persons are prohibited from furnishing, or knowingly agree to furnish,

‘information concerning his or any other person’s past, present or proposed business relation-
ships’ with or in a boycotted country, with any business concern organised under the laws of
a boycotted country, with any national or resident of a boycotted country, or with any other
person who is known or believed to be restricted from having any business relationships with
or in a boycotting country.38
With regard to the TRA, Section 999(b) of the Internal Revenue Code prohibits agree-
ments to participate or cooperate in international boycotts, which includes instances in
which a person agrees to refrain from doing business with a country that is the object of a
boycott, refrain from doing business with a US person engaged in trade in a country that is
the object of a boycott, or refrain from doing business with any company whose ownership
or management is made up of individuals of a particular nationality, race or religion, among
other potential grounds.39
Reporting requirements
Under the EAR, all US persons are required to report to BIS once a quarter whenever they
receive a ‘request to take any action which has the effect of furthering or supporting a restric-
tive trade practice or boycott fostered or imposed by a foreign country against a country
friendly to the United States or against any United States person’.40 Such a request can either
37 15 C.F.R. § 760.2(a)(1). Unlike the strict liability standard applied for violations of US sanctions, ‘intent’ is a
necessary element for an EAR anti-boycott violation; § 760.1(e)(3). Specifically, the EAR prohibits US persons
from taking or knowingly agreeing to take certain actions with the ‘intent to comply with, further, or support
an unsanctioned foreign boycott’; § 760.1(e)(1). Thus, a US person who ‘inadvertently, without boycott intent,
takes a prohibited action’, does not violate the EAR’s anti-boycott prohibitions contained in Section 760.2;
§ 760.1(e)(3). Notably, the EAR states that ‘intent’ does not mean that one has to agree with the boycott in
question, desire that the boycott succeed, or seek that the boycott be furthered or supported; § 760.1(e)(4).
Rather, the reason or purpose for an action can be proved by circumstantial evidence; § 760.1(e)(5).
38 15 C.F.R. § 760.2(d)(1). However, the prohibition on furnishing information does not apply to the furnishing
of normal business information in a commercial context, including information regarding financial fitness,
technical competence, or professional experience; § 760.2(d)(3).
39 26 U.S.C. § 999(b)(3).
40 15 C.F.R. § 760.5(a)(1). Notably, there are certain requests or actions that are not required to be reported
under the EAR, which are set forth in Section 760.5(a)(5). For example, US persons who are the owner, master,
charterer or employee of a vessel, aircraft, truck or certain other mode of transportation, are not required to
231
be verbal or in writing, and can include a request to furnish information or enter into or
implement an agreement. It may also include a solicitation, directive, legend or instruc-
tion that asks for information or that requests a US person to take or refrain from taking a
particular action.41
Under the TRA, US persons must annually report the receipt of any requests to partici-
pate in or cooperate with a boycott, regardless of whether they plan to assent to any request.42
Section 999’s reach is broad, such that if the taxpayer ‘knows or has reason to know that
participation in or cooperation with an international boycott is required as a condition of
doing business’ within a boycotting country or with a boycotting entity, the taxpayer must
report, regardless of whether it has direct contact with that country or entity.43
Penalties and enforcement

Penalties for violations of US anti-boycott laws can be severe. Administrative penalties under
the EAR can include a denial of export privileges and the imposition of monetary fines
up to US$50,000 per violation.44 Criminal penalties can include monetary fines of up to
US$1 million and up to 20 years’ imprisonment for wilful violations.45 BIS, in enforcing
the EAR, encourages voluntary self-disclosure, which can qualify as a mitigating factor if
done properly.46
Violating the TRA may result in adverse tax consequences, including the loss of foreign
tax credits and the exclusion of extraterritorial income from gross income.47 Liability attaches
under the TRA if a US person fails to report prohibited boycott activity to the Internal
Revenue Service.48 Specifically, any person who wilfully fails to report faces fines of up to
US$25,000 and imprisonment for up to one year.49
Acceptable forms of contractual language

In drafting agreements for transactions (including letters of credit) in which a boycott-related
issue arises, there are several important factors to consider in complying with applicable
US law and protecting a company after an agreement is finalised. First, companies should
consider whether the parties have a nexus to the United States and, if so, whether they are
subject to the US’s anti-boycott laws. Second, if the parties are subject to the US’s anti-boycott
laws, then careful attention to the agreement’s contractual language is necessary, including
any references to Israel or other unsanctioned boycotts. For example, a reference to Israel in a
report requests that they provide a certificate demonstrating their eligibility to enter a particular port; 15 C.F.R.
§ 760.5(a)(5)(viii).
41 15 C.F.R. § 760.5(a).
42 26 U.S.C. § 999(a)(2).
43 26 U.S.C. § 999(a)(1)(B).
44 15 C.F.R. Appendix Supplement No. 2 to Part 766, Note to Paragraph (c)(1), at https://www.law.cornell.edu/
cfr/text/15/appendix-Supplement_No_2_to_part_766.
45 50 U.S.C. § 4843(a).
46 See 15 C.F.R. § 764.8(a); 15 C.F.R. App’x Supp. No. 2 to Part 766(d)(2)(i)(A).
47 See 26 U.S.C. § 999(b)(1); IRS Form 573 (Rev. Sept. 2018); see also Rufus Von Thulen Rhoades and
Marshall J Langer, U.S. International Taxation and Tax Treaties, §§ 11.01, 11.03 (2020).
48 26 U.S.C. § 999(f).
49 id.
232
charterparty agreement for a vessel transporting petroleum in the Middle East could be a red
flag that necessitates further enquiry to ensure there is no violation of the anti-boycott laws.
Third, attention should be given to requests to furnish information, including, for example,
information regarding prior port calls or business activity in Israel or other boycotted jurisdic-
tions. Finally, those subject to US anti-boycott laws should consider the exceptions contained
in the EAR and other laws, including those that permit certain activities necessary to comply
with local law in foreign jurisdictions.50
Advising clients subject to US and EU regimes

Relevance of due diligence and risk assessment
In any commercial setting, performing due diligence for a contemplated transaction and
screening the relevant counterparties is an essential component of an effective compliance
programme. Due diligence should examine the background of the parties, including a
particular focus on those who are nationals of or otherwise resident in sanctioned jurisdic-
tions (for example, Iran).51 In addition, consideration should be given to the flow of funds,
including ensuring that funds do not transit sanctioned jurisdictions, companies or financial
institutions. Transactions that involve high-risk jurisdictions should exercise caution in trans-
iting the US financial system, including the use of the US dollar (which may clear through
US accounts) as OFAC has targeted non-US companies for ‘causing’ US correspondent
banks to violate sanctions by processing otherwise sanctioned payments.52
Additionally, in providing credit facilities and other lending transactions, the lender
should ensure that the borrower, and any subsidiaries or affiliates that might access the loan
proceeds, have controls in place to prevent those proceeds from being used in, or for, activi-
ties that violate EU or US sanctions. If a borrower uses loan proceeds to transact with a
party subject to sanctions or in a manner that violates sanctions, then the lender could face
sanctions liability.
Notably, the concepts of facilitation and predominance are particularly relevant in the
context of credit facilities and other large commercial transactions. Under the US’s Burma
sanctions, which the Obama administration withdrew in October 2016 (but recently have
been reimposed in a targeted manner),53 US persons were prohibited from investing in a
third-country company when that company’s profits were predominantly derived from
50 The EAR contains several exceptions that apply and determining whether an anti-boycott violation has occurred
is often dependent on the particular facts and circumstances of the conduct. See, generally, 15 C.F.R. §§ 760.2,
760.3.
51 While transactions with non-SDN nationals of certain sanctioned jurisdictions might be permissible if done
outside those territories, the US’s sanctions against Cuba, for example, generally prohibit transactions with
Cuban nationals, wherever located.
52 See, e.g., CSE Global Limited/CSE TransTel Pte Ltd Settlement, US Treasury Department’s Office of Foreign
Assets Control [OFAC] (27 July 2017), at https://home.treasury.gov/system/files/126/20170727_transtel.
pdf; PT Bukit Muria Jaya Enforcement Action, (14 January 2021), at https://home.treasury.gov/system/
files/126/20210114_BMJ.pdf; Essentra FZE Company Limited Enforcement Action, OFAC (16 July 2020), at
https://home.treasury.gov/policy-issues/financial-sanctions/recent-actions/20200716_33.
53 The US re-imposed certain sanctions against individuals and entities in Burma related to human rights abuses
committed by the military. See, e.g., 25 March 2021 OFAC Announcement, available at https://home.treasury.
gov/policy-issues/financial-sanctions/recent-actions/20210325.
233
Burma.54 In a sense, this rule prevented US persons from doing indirectly what they were
prevented from doing directly, and is closely aligned with the concept of facilitation, which
prohibits US persons from approving, financing, facilitating or guaranteeing any transaction
by a foreign person ‘where the transaction by that foreign person would be prohibited . . . if
performed by a [US person] or within the United States’.55 The concepts of facilitation and
predominance differ in the sense that predominance penalises companies that profit from
business in sanctioned jurisdictions, whereas facilitation is meant to prevent US compa-
nies from enlisting foreign entities or individuals to engage in conduct that they themselves
could not otherwise perform. In short, while predominance is a concept to consider when
transacting with companies that have a large presence in sanctioned jurisdictions, the risk
of facilitation also poses a significant risk, especially with regard to US companies that have
foreign affiliates or subsidiaries, or counterparties involved in cross-border transactions in
high-risk jurisdictions.
Use of general and specific licences

Under US sanctions administered by OFAC, there are general and specific licences, each
of which authorises activities that are otherwise prohibited by US law. General licences
authorise a particular type of transaction for a class of persons without the need to apply for
a specific licence from OFAC. A specific licence is a written document issued by OFAC to
a particular person or entity, following an application process, that authorises a particular
transaction or set of transactions.56 Both general and specific licences are typically limited
to a specific period and range of activities and persons. Broadly speaking, activities that are
‘ordinarily incident and necessary’ to a licensed transaction are also often authorised, such as
funds transfers and certain shipping transactions.
In relying on a general or a specific licence, companies and individuals should ensure
they are performing the precise range of activities authorised by the licence, and doing so
within the timeframe specified by the licence (typically two years for a specific licence and
often shorter for a general licence). In addition, parties should be mindful of wind-down
periods or OFAC’s expectation that the business activity will be wound down prior to expiry
of the licence.
Finally, when a US company or its foreign affiliate transacts with a counterparty that relies
on a specific licence, the US company or foreign affiliate should request a copy of the licence
before engaging in the business relationship. Upon receipt of the licence, it is important to
confirm that the licence is valid, the business activity contemplated is covered by the licence
and that the timeframe of the anticipated business transactions will not extend beyond the
expiration date set forth in the licence. OFAC will often renew a specific licence but there is
no guarantee, and OFAC is under no obligation to do so.
Moreover, although OFAC will generally not grant specific licences for activities that have
no US nexus, non-US companies are still permitted to seek formal written guidance from
54 31 C.F.R. § 537.412 (repealed by Exec. Order No. 13,742, 81 Fed. Reg. 70,593 (12 October 2016)); see
Perry S Bechky, Sanctions and the Blurred Boundaries of International Economic Law, 83 Mo. L. Rev. 1, 11, 12,
n.62 (2018).
55 31 C.F.R. § 560.208.
56 See OFAC FAQ 74.
234
OFAC through the licensing process and informal guidance from OFAC via its hotline. In
addition, EU operators cannot request a licence from OFAC to be exempt from the applica-
tion of extraterritorial sanctions listed in the Blocking Regulation. To seek a licence is very
likely to demonstrate ‘compliance’ with the US sanctions under Article 5. However, the
Commission acknowledges that it does not consider conversations with OFAC to understand
the effects of the sanctions to amount to compliance.57
Representations and warranties

In negotiating cross-border transactions, it is often prudent to consider sanctions-related
written representations and warranties as a way to mitigate against future risks. For example,
in lending transactions, the lender should consider requiring that the borrower affirmatively
represent and warrant that it will not use the loan proceeds for purposes that violate appli-
cable sanctions (e.g., a ‘use of proceeds’ clause). This representation and warranty can often
apply to the borrower’s subsidiaries, affiliates, employees, officers and directors, and any
others that might have access to the loan proceeds.
Additionally, parties in cross-border transactions can protect their interests by including
contractual provisions that govern what will occur if a sanctions violation is suspected or
detected. For example, a lender should consider including information request and notifica-
tion clauses in the applicable loan agreements, whereby if the borrower learns of a potential
sanctions violation, it will be required to report that to the lender and the lender will be
permitted to request additional information, as necessary to ensure the loan has not been
used for sanctioned purposes or that the loan principle is at risk of being frozen.
Finally, to the extent that a party to a transaction has a sanctions-related problem, there
should be some mechanisms built into the transaction to permit an orderly exit. For example,
in the context of a revolving credit facility, the lenders should have the option to exit the
facility following notice that the borrower violated sanctions or itself is subject to sanctions.
These types of incidents frequently qualify as events of default.
Foreign subsidiaries of US persons

Foreign subsidiaries of US companies are generally subject to OFAC jurisdiction under
certain sanctions programmes (e.g., Cuba and Iran), and, as discussed below, there is risk to
foreign subsidiaries under additional theories of liability.58
First, US citizen employees, officers and directors can face individual liability for failing
to comply with US economic sanctions, even if they are employed by a non-US company
and are located outside the United States. For example, US citizens are required to block an
SDN’s property and interests in property that they possess or control, regardless of where
they are located. Thus, if a US citizen is an officer or director of a foreign company, and
possesses or controls property of an SDN, then that US citizen must block that property.
In those circumstances, an officer, director or employee who is a US citizen might consider
recusal out of an abundance of caution.
57 EU Guidance Note, Question 23.

58 See, generally, 31 C.F.R. § 560.215 (Iranian Transactions and Sanctions Regulations); 31 C.F.R. §§ 515.201(b),
515.201, 515.209, 515.329 (Cuban Asset Control Regulations).
235
Second, foreign subsidiaries of US companies face risks doing business even in sanctioned
jurisdictions other than Iran and Cuba. For example, foreign subsidiaries could face US regu-
latory exposure for doing business in a sanctioned jurisdiction (other than Iran or Cuba) if
the transaction transits the US financial system or otherwise has a nexus to the United States.
If the US parent company is a public company, then this could also trigger a public reporting
requirement if an enforcement investigation is initiated, an apparent violation is voluntarily
self-reported to OFAC or an SDN designation occurs. Additionally, if operations are coordi-
nated between the US entity and the foreign entity, or there are dual-hatted employees, then
that could also raise the risk of sanctions exposure, including under facilitation, conspiracy
to evade sanctions or ‘causing’ theories of liability. Notably, OFAC has advised of the risk
that companies subject to US jurisdiction face in referring business opportunities, approving
or signing off on transactions conducted by, or otherwise facilitating dealings between their
company’s non-US locations and sanctioned jurisdictions, regions or persons.59
Third, the US government has aggressively targeted non-US persons for designation who
have ‘materially assisted’ or otherwise provided financial support to SDNs. For example,
although there is no formal secondary sanctions regime for Venezuela, OFAC has targeted
non-US persons for transacting and otherwise supporting the government of Venezuela
and other sanctioned entities that the US has a foreign policy interest in isolating from the
world economy.60
Finally, credit agreements and other material contracts can subject foreign subsidiaries
of US companies to more stringent regulatory requirements than the strict letter of the law.
As part of a risk-based approach, US companies and their foreign subsidiaries should review
their material contracts to ensure they are in compliance with their contractual obligations,
and not simply rely on a strict letter of the law approach as it relates to US sanctions.
Brexit and the EU Blocking Regulation

As with other EU sanctions, the Blocking Regulation was directly applicable in UK law.
However, for criminal penalties to be imposed for breach, it was transposed into UK law,61 and
was retained following the UK’s withdrawal from the European Union on 31 January 2020.62
The transposing legislation was amended with effect from 1 January 2021.63 The amendments
principally ensure the continued effectiveness of the blocking legislation by, for example,
59 See OFAC, ‘A Framework for OFAC Compliance Commitments’, 2 May 2019, at www.treasury.gov/
resource-center/sanctions/Documents/framework_ofac_cc.pdf; see also Settlement Agreement between
OFAC and BIOMIN America, Inc, 6 May 2020, at www.treasury.gov/resource-center/sanctions/CivPen/
Documents/20200506_biomin.pdf; Settlement Agreement between OFAC and Berkshire Hathaway, Inc.,
20 Oct. 2020, at https://home.treasury.gov/policy-issues/financial-sanctions/recent-actions/20201020.
60 See, e.g., US Department of the Treasury designation of TNK Trading International SA, press release, at https://
home.treasury.gov/news/press-releases/sm937.
61 See footnote 20, above.
62 European Union (Withdrawal) Act 2018, Section 3.
63 The Protecting Against the Effects of the Extraterritorial Application of Third Country Legislation (Amendment)
(EU Exit) Regulations 2020.
236
removing references to ‘the EU’ and ‘Commission’. The UK government has issued guidance
on the operation of the blocking provisions in the UK.64
Going forward, the United Kingdom will be free to make additional changes to the
Blocking Regulation but is unlikely to do so in the short term. In the Explanatory
Memorandum that accompanied the draft amending legislation, the UK government stated:
We will continue to work with our European partners on matters of significance to the UK,
even as we leave the EU. We intend to uphold the policy intent of the Blocking Regulation
in our statute book once we have left the EU, so that we can mitigate the impact of extra-
territorial sanctions on our trading interests. The UK will assume responsibility for listing
extraterritorial sanctions legislation with which UK businesses must not comply.65
64 See Department of International Trade, ‘Protection of Trading Interests (retained blocking regulation)’,
19 November 2020, at www.gov.uk/guidance/protection-of-trading-interests-retained-blocking-regulation.
65 Explanatory Memorandum to the Extraterritorial US Legislation (Sanctions Against Cuba, Iran and Libya)
(Protection of Trading Interests) (Amendment) Order 2018, paragraph 7.5.
237
16
Sanctions Issues Arising in Corporate Transactions
Barbara D Linney, Orga Cadet and Ragan Updegraff1
Once thought adequately addressed by a simple representation of compliance with the appro-
priate law, sanctions risk in corporate transactions has increased steadily as sanctions have
become more complex and more intertwined with other areas of regulatory compliance. To
further complicate the diligence required in these transactions, the footprints of transacting
parties have expanded around the globe, and expectations of various stakeholders (such
as investors, lenders, insurers and regulators) have heightened. Today, whether the trans-
action involves an acquisition, establishment of a joint venture, appointment of an agent,
onboarding a customer or even a divestiture, a full understanding and review of all applicable
sanctions, anti-boycott and export control requirements is necessary if enforcement risks are
to be minimised.
While this chapter attempts to present diligence principles and methodologies that can
be applied irrespective of the jurisdictions of the parties and businesses involved, it will not
escape the reader’s notice that principles of US law are featured prominently. Examination
of potential US law exposure is a necessary element of almost all transaction diligence owing
to the broad extraterritorial reach of US primary sanctions2 and related laws and regulations
affecting international business, the robust enforcement of such laws, and the wide-ranging
deployment of secondary sanctions designed to advance US national security and foreign
policy goals. Of course, diligence must cover all potentially applicable laws and regulations. A
comprehensive multi-jurisdictional review is beyond the scope of this chapter, but examples
of commonly encountered issues posed by EU and national laws are addressed.
1 Barbara D Linney is a partner and Orga Cadet and Ragan Updegraff are associates at BakerHostetler LLP.
2 US ‘primary’ sanctions are those that proscribe behaviour of US persons (and, in the case of Cuba and Iran
sanctions, non-US entities owned or controlled by them). ‘Secondary’ sanctions are those that do not proscribe
conduct but rather impose consequences on persons engaging in activities identified as contrary to US national
security or foreign policy.
238
Scope of sanctions diligence

The establishment of new business relationships poses a myriad of risks when it comes to
compliance with sanctions. This is especially so given the substantial overlap of sanctions
regulation and enforcement with other regulatory areas, such as anti-boycott and export
control laws and regulations. In the United States, both the Office of Foreign Assets Control
(OFAC) and the export control agencies have jurisdiction over trade in goods subject to
comprehensive embargoes. In addition, some sanctions programmes – notably, the Ukraine/
Russia-related US sanctions – were implemented simultaneously with export control meas-
ures targeting many of the same actors. There is often a high correlation between sanctions
evasion, diversion of export-controlled items and corruption. Anti-boycott regulations are
viewed in some jurisdictions as sanctions subject to blocking laws. In the financial sector,
sanctions compliance measures often double as a means of detecting money laundering and
other financial crimes, and vice versa. The result is that sanctions diligence cannot be effective
if approached in isolation – rather, prospective parties to transactions should deploy a holistic
methodology to ensure that all relevant aspects of transactions are reviewed. Happily, such
an approach also is less time-consuming and more cost-effective for parties to transactions.
Why diligence is important

Global businesses must comply with sanctions and other legal requirements in all jurisdictions
in which they do business. Often, requirements of one jurisdiction will conflict with those of
another (as, for example, when efforts to impose compliance with US primary sanctions run
up against EU or national blocking statutes) or will apply alongside those of another (such
as when US export control rules applicable to items manufactured outside the United States
apply in addition to the export control rules of the country of manufacture). In addition, the
increasing application of US secondary sanctions creates sanctions risks for companies even
if they are in compliance with applicable local laws and not subject to US primary sanctions.
Another source of risk is the expansion ‘by operation of law’ of the list-based sanctions of
several jurisdictions to entities owned or controlled by listed parties, which requires not only
name screening of potential business partners but also an examination of their ownership
and control.3
Moreover, owing to the ‘long-arm’ reach of US export control regulations outside the
United States to encompass re-exports (from one country to another) and transfers (within
another country), non-US companies have not been immune from enforcement action for
violations of US export controls4 and related sanctions.5 Recent examples include imposi-
3 See US Dep’t of the Treasury’s Office of Foreign Assets Control [OFAC], ‘Revised Guidance on Entities Owned
by Persons Whose Property and Interest in Property Are Blocked’ (2014); European Commission Opinion
of 19 June 2020 on Article 2 of Council Regulation (EU) No. 269/2014; Office of Financial Sanctions
Implementation, ‘Financial Sanctions: Guidance’ (December 2020), at 15.
4 See, e.g., Bureau of Political Military Affairs, US Dep’t of State, BAE Systems plc Consent Agreement (2011);
Bureau of Political Military Affairs, US Dep’t of State, Qioptiq S.a.r.l. Consent Agreement (2008). See also
Bureau of Industry and Security, US Dep’t of Commerce [BIS], Order Relating to Ghaddar Machinery Co., SAL
(2019) [Ghaddar].
5 OFAC, DENTSPLY SIRONA Inc. Settles Potential Civil Liability for Apparent Violations of the Iranian
Transactions and Sanctions Regulations (2019) [Dentsply].
239
tion of fines against a Lebanese company for re-exporting engines of US origin to Syria and
OFAC’s action against a dental supply company for exporting dental products of US origin
to third-country distributors with knowledge that the exports were destined for Iran.6
In the merger and acquisition (M&A) context, due diligence is a must if the risk of
successor liability for sanctions and export control violations and other offences is to be
assessed. Transactions structured as mergers generally pass liability for the pre-transaction
activities of the acquired entity to the buyer by operation of law, but successor liability can
also arise from stock purchases, as well as transactions structured as asset purchases. Of course,
stock purchases that maintain the separate status of the target entity do not create successor
liability for the buyer in the strictest sense of the term, but enforcement costs incurred by the
target entity in connection with pre-completion violations, with the associated reputational
costs, will diminish the value of the buyer’s investment in the target entity. Even in jurisdic-
tions without successor liability, difficulties may arise when company assets may include the
proceeds of previous sanctions and export control violations.
As for asset purchases, in a string of US cases, beginning with Sigma-Aldrich in 2002,7 the
Bureau of Industry and Security of the US Department of Commerce (BIS) has interpreted
the International Emergency Economic Powers Act (IEEPA)8 and the Export Administration
Regulations9 to impose successor liability for export violations on purchasers of assets when
‘substantial continuity’ of the business results from the transaction.10 Notably, IEEPA also
is the statutory underpinning for all US sanctions programmes save the Cuban embargo.
The Trading with the Enemy Act,11 which authorises the Cuban embargo, contains provi-
sions similar to the IEEPA provisions interpreted in Sigma-Aldrich and goes a step further by
purporting to impose obligations on non-US entities owned or controlled by US persons.
Sigma-Aldrich thus laid the groundwork for both BIS and OFAC to impose successor liability
on purchasers of assets when the purchased assets constitute a business that continues under
the new owner. As enumerated in Sigma-Aldrich, a finding of ‘substantial continuity’ will be
supported when:
the successor: (1) retains the same employees, supervisory personnel and the same production
facilities in the same location; (2) continues production of the same products; (3) retains
the same business name; (4) maintains the same assets and general business operations; and
(5) holds itself out to the public as a continuation of the previous corporation.12
6 See Ghaddar (footnote 4, above); Dentsply (footnote 5, above).

7 Sigma-Aldrich Business Holdings, Inc., Case No. 01-BXA-06, US Dep’t of Commerce (29 August 2002)
[Sigma-Aldrich].
8 International Emergency Economic Powers Act (codified at 50 U.S.C. § 1701 (2020)).
9 15 C.F.R. §§ 730 to 774 (2019). The Export Administration Regulations also include the US anti-boycott rules.
See 15 C.F.R. pt. 760 (2019).
10 See Sigma-Aldrich (footnote 7, above), at 6, 7 and 12.
11 Trading with the Enemy Act (codified at 50 U.S.C. § 4301) (2020).
12 Sigma-Aldrich (see footnote 7, above), at 9.
240
The decision in Sigma-Aldrich was not appealed and the parties entered into a settlement
agreement, following which the BIS position on successor liability was applied in subsequent
settlement agreements with both BIS and OFAC.13
The Directorate of Defense Trade Controls (DDTC) , which administers the International
Traffic in Arms Regulations14 pursuant to the Arms Export Control Act,15 likewise has a long
history of imposing successor liability dating back to 2003, when the DDTC entered into a
consent agreement with Hughes Electronics Corporation and Boeing Satellite Systems, Inc
(formerly Hughes Space and Communications). The consent agreement imposed penal-
ties for violations that occurred several years prior to Boeing’s acquisition of the Hughes
space and communications division in 2000.16 The DDTC’s position on successor liability is
bolstered by its policy of requiring registered defence companies to agree in writing to assume
responsibility for pre-acquisition export licences issued to the acquired business.17
Although the US position on successor liability has been criticised by legal scholars, as a
practical matter, given OFAC’s sweeping discretionary powers and the ability of US export
agencies to deny export privileges, parties have tended to settle enforcement actions rather
than embark on time-consuming and expensive challenges to agency authority. As a result,
the risk of enforcement actions based on the successor liability concept remains an important
focus of sanctions and export control diligence.
In addition to its role in detecting potential successor liability, diligence in M&A trans-
actions is essential if patterns of violative behaviour that may continue post-closing are to
be discovered. OFAC has shown little patience for companies that have allowed violations
to continue post-closing,18 imposing penalties in a series of recent cases notwithstanding
voluntary disclosures filed by the acquirors. Root causes of violations emphasised by OFAC
included being ‘slow to integrate the subsidiary into the . . . corporate family, including with
respect to compliance with U.S. sanctions’ (Expedia); failure to ‘implement procedures to
monitor or audit [the subsidiary’s] operations to ensure that its Iran-related sales did not recur
post-acquisition’ (Stanley Black & Decker); and not undertaking ‘a fuller internal investigation’
13 See, e.g., BIS, Order Relating to Sirchie Acquisition Company, LLC (2010) and related Settlement Agreement
(2009); Dentsply (footnote 5, above).
14 22 C.F.R. §§ 120 to 130 (2020).
15 Arms Export Control Act (codified at 22 U.S.C. 2778 (2014)).
16 Bureau of Political Military Affairs, US Dep’t of State, Order in the Matter of Hughes Electronics Corporation
and Boeing Satellite Systems, Inc. and related Consent Agreement (2003).
17 See ‘Sample 5-Day Notice’ (for Buyer), Updating a Registration: Notification of Change for Mergers,
Acquisitions, and Divestitures, Directorate of Defense Trade Controls, at www.pmddtc.state.gov/
ddtc_public?id=ddtc_kb_article_page&sys_id=fc8aaa9adb74130044f9ff621f9619c3#tab-mad (last visited
25 June 2020).
18 See, e.g., OFAC, ‘OFAC Settles with Keysight Technologies Inc., as Successor Entity to Anite Finland OY,
with Respect to Potential Civil Liability for Apparent Violations of the Iranian Transactions and Sanctions
Regulations’ (2020) [Keysight ]; OFAC, ‘Expedia Group, Inc. (“Expedia”) Settles Potential Civil Liability for
Apparent Violations of the Cuban Assets Control Regulations’ (2019) [Expedia]; OFAC, ‘Stanley Black &
Decker, Inc. Settles Potential Civil Liability for Apparent Violations of the Iranian Transactions and Sanctions
Regulations Committed by its Chinese-Based Subsidiary Jiangsu Guoqiang Tools Co. Ltd’. (2019) [Stanley Black
& Decker]; OFAC, ‘AppliChem GmbH Assessed a Penalty for Violating the Cuban Assets Control Regulations’
(2019) [AppliChem]; OFAC, ‘Kollmorgen Corporation Settles Potential Civil Liability for Apparent Violations
of the Iranian Transactions and Sanctions Regulations’ (2019) [Kollmorgen].
241
upon receipt of helpline reports of continued sales to Cuba (AppliChem). In Kollmorgen, a

penalty was imposed notwithstanding ‘egregious conduct’ on the part of the newly acquired
subsidiary, whose management actively attempted to thwart the buyer’s compliance efforts
by obfuscating continued sales to Iran from the buyer’s ‘extensive efforts’ to ensure the newly
acquired subsidiary was complying with US sanctions.19 Similarly, in Keysight, a penalty was
imposed despite the buyer’s directive to its newly acquired subsidiary that continued sales to
Iran should cease and the newly acquired subsidiary’s assurance that they had – though, as in
Kollmorgen, the newly acquired company continued sales that were actively concealed from
the buyer.20 However, OFAC and other agencies have made it clear that uncovering potential
violations during the diligence process is not enough. OFAC’s compliance framework, issued
in 2019, notes that mergers and acquisitions ‘appear to have presented numerous challenges
with respect to OFAC sanctions’ but that OFAC nevertheless expects that compliance func-
tions ‘be integrated into the merger, acquisition, and integration process’ and that ‘[w]hether
in an advisory capacity or as a participant, the [buyer] engages in appropriate due diligence
to ensure that sanctions-related issues are identified, escalated to the relevant senior levels,
addressed prior to the conclusion of any transaction, and incorporated into the organiza-
tion’s risk assessment process.’21 The recent SAP case22 serves as a stark reminder of the
consequences of failure to address compliance gaps identified during M&A diligence and
post-acquisition audits. In late April 2021, OFAC, BIS and the US Department of Justice
announced settlements with the German company related to, among other things, violations
of the EAR and the Iranian Transactions and Sanctions Regulations (ITSR),23 resulting from
failure to integrate various US cloud services providers acquired in transactions dating back
to 2011 into its export controls and sanctions compliance programme.
Transactional due diligence will focus on many of the same compliance issues that should
be reviewed in the context of M&A activity, but for different reasons. When vetting potential
agents, distributors, joint venture partners or customers, a history of non-compliance with
sanctions or export control laws can foreshadow a risk of becoming embroiled in violations
and enforcement actions in the future. Companies contemplating entering into a transac-
tion with a third party with a less than stellar compliance record should take a hard look
at whether the risk that the party will commit violations in the future can be adequately
addressed in the agreement governing the transaction. If the contemplated transaction is
a long-term arrangement, such as a joint venture, care should be taken to ensure that the
governing agreement provides a clear exit strategy if violations occur, or if changes in the law
render continuation of the relationship unlawful.
19 Kollmorgen (see footnote 18, above), at 3.

20 Keysight (see footnote 18, above), at 1-2.
21 OFAC, ‘A Framework for Compliance Commitments’ (May 2019), at 4–5.
22 OFAC, OFAC Settles with SAP SE for Its Potential Civil Liability for Apparent Violations of the Iranian
Transactions and Sanctions Regulations (2021) [SAP]. See also, SAP Resolves Allegations of Export Control
Law Violations with US$3.29 Million Administrative Settlement, Bureau of Industry and Security (2021); US
Department of Justice, SAP Admits to Thousands of Illegal Exports of its Software Products to Iran and Enters
into Non-Prosecution Agreement with DOJ (2021); Non-Prosecution Agreement between SAP and the US
Department of Justice (2021), available at www.justice.gov/opa/press-release/file/1390531/download
23 Iranian Transactions and Sanctions Regulations, 31 C.F.R. pt. 560 (2021).
242
What your diligence review should include

Diligence in corporate transactions has both business and legal elements, and both come into
play in the context of sanctions, anti-boycott and export control due diligence.
From a legal perspective, verifying compliance with legal requirements is a standard
starting point. However, establishing that a target company or potential business partner is in
compliance with all applicable legal requirements prior to entering into a transaction will not
suffice, as new requirements and risks may take effect when the transaction is consummated,
with both business and legal implications.
For example, non-US businesses that come under the ownership or control of US persons
will become subject to US anti-boycott rules and certain US primary sanctions24 require-
ments upon completion of the transaction. In the anti-boycott context, the rules apply to
‘US persons’, which is defined to include ‘controlled in fact’ foreign subsidiaries, affiliates, or
other permanent foreign establishments of US business entities, which are termed ‘domestic
concerns’ in the rules.25 ‘Control in fact’ is defined to consist of ‘the authority or ability
of a domestic concern to establish the general policies or to control day-to-day operations
of its foreign subsidiary, partnership, affiliate, branch, office, or other permanent foreign
establishment’.26
In the sanctions context, both the Iran and Cuba sanctions extend to non-US entities
‘owned or controlled by’ US persons.27 The ITSR provide that:
an entity is ‘owned or controlled’ by a United States person if the United States person:
(i) Holds a 50 percent or greater equity interest by vote or value in the entity;
(ii) Holds a majority of seats on the board of directors of the entity; or
(iii) Otherwise controls the actions, policies, or personnel decisions of the entity.28
Although what constitutes ownership or control is undefined in the regulations governing the
Cuba sanctions programme, the definition applicable to Iran reflects OFAC’s long-standing
interpretation of the reach of the Cuba sanctions as well.
Diligence should be designed both to ferret out historical compliance lapses and identify
activities that will not be permitted post-completion, as well as the effects of implementing
any such prohibitions on the business outlook. Cessation of activities that will be unlawful
under US ownership or control may have a material adverse effect on the financial outlook
of the acquired business, while compliance failures post-completion will give rise to enforce-
ment risk. Nevertheless, the parties may decide to proceed with the transaction, notwith-
standing any detrimental effect on the business that would result from the need to cease
certain operations post-completion. In such cases, further diligence should be conducted
regarding the legal risks associated with cessation so that advice can be taken on how best
to navigate any potential roadblocks, such as those posed by so-called ‘blocking’ statutes.
24 Iranian Transactions and Sanctions Regulations, 31 C.F.R. pt. 560 (2020); Cuban Assets Control Regulations,
31 C.F.R. pt. 515 (2020).
25 15 C.F.R. § 760.1(b).
26 15 C.F.R. § 760.1(c).
27 31 C.F.R. § 515.329; 31 C.F.R. § 560.215.
28 31 C.F.R. § 560.215(b)(1).
243
Several jurisdictions, as well as the European Union, have adopted blocking measures to
counteract extraterritorial application of US sanctions against Cuba and Iran,29 while Canada
has restricted its blocking measures to the Cuba embargo,30 and German law targets foreign
boycotts.31 Thus, advice should be taken before completion so that an appropriate plan of
action can be formulated, bearing in mind recent enforcement actions against US companies
who failed to prevent their recently acquired non-US subsidiaries from continuing business
with Cuba and Iran.32 Litigation risk arising from breach of contract claims from parties to
discontinued relationships may also be a factor.
Transactional diligence, like compliance programmes, should also be customised to fit
the risks presented and the risk appetites of the parties. Some companies subject all potential
agents or distributors to background checks; others apply such requirements only to relation-
ships with third parties located in countries or regions considered high risk from a sanctions,
corruption or export diversion perspective. In the absence of red flags, third-party certifica-
tions of matters such as ownership and control, as well as compliance, can be considered in
place of more extensive diligence.
Diligence checklists must be the subject of continuous improvement. Laws and regula-
tions in the sanctions and export control area change frequently, and these changes usually
spawn new diligence requirements, as do new enforcement actions and agency guidance.
In each transaction, care should be taken to ensure that compliance with all applicable
sanctions and export controls is reviewed, based on the jurisdiction of formation and places
of business as well as products and services of the target company.
When considering doing business with or acquiring a company with operations outside
the United States, possible secondary sanctions risk based on the nature of the target’s busi-
ness also must be considered. US secondary sanctions target those doing business with
numerous sectors of the Iranian economy, as well as Russia, Venezuela and North Korea,
among other countries.
Relationships with customers, agents or distributors in countries or regions characterised
by high risk for diversion or corruption also should be scrutinised carefully – several countries
in Asia and the Middle East come to mind in this regard, although, perhaps surprisingly to
some, US law enforcement officials also view Canada as a country of diversion risk.
Other often overlooked but important areas of potential liability when conducting due
diligence on non-US companies include application of US sanctions and export control
29 See, e.g., Council Regulation (EC) No. 2271/96 of 22 November 1996 protecting against the effects of the
extra-territorial application of legislation adopted by a third country, and actions based thereon or resulting
therefrom (as amended by Commission Delegated Regulation (EU) 2019/1100 of 6 June 2018); and, for the
position in the United Kingdom on the expiry of the Brexit transition period, see The Protecting against the
Effects of the Extraterritorial Application of Third Country Legislation (Amendment) (EU Exit) Regulations
2019 (in draft form).
30 Foreign Extraterritorial Measures Act, R.S.C. ch. F-29 (1985), as amended by Bill C-54, proclaimed in force
1 January 1997; Foreign Extraterritorial Measures (United States) Order, 1992, as amended, SOR 96-84,
5 January 1996.
31 Foreign Trade and Payments Ordinance, § 7 (Boycott Declaration) (Ger.).
32 OFAC, ‘Acteon Group Ltd. and 2H Offshore Engineering Ltd. Settle Potential Civil Liability for Apparent
Violations of the Cuban Assets Control Regulations’ (2019); AppliChem (see footnote 18, above); Stanley Black
& Decker (see footnote 18, above); Kollmorgen (see footnote 18, above).
244
de minimis rules and compliance with US export controls applicable to foreign-produced
items. Many non-US companies are unaware of the extent to which their products might be
subject to US export controls and sanctions as a result of incorporating components of US
origin or that have been manufactured using US technology or plant and equipment.
Though traditionally an exercise conducted primarily by the buyer, the increasing conver-
gence of sanctions and export controls with other areas of law and regulation, including
national security, anti-money laundering (AML) and anti-corruption, has given rise to dili-
gence obligations for all parties to the transaction. In transactions that may be reviewed by
the Committee on Foreign Investment in the United States, both parties will need to assess
the export controls applicable to the target US business to assess whether mandatory filing
requirements apply,33 and sellers will want to assess the sanctions and export control compli-
ance history of potential non-US buyers, given new rules that ban companies with a history
of violations of US sanctions and export controls from enjoying certain exceptions to the
mandatory filing requirements.34 Investors and bankers providing financing for a transaction
will want to ensure sanctions and anti-financial crime compliance by all parties, as well as
compliance with export controls and sanctions by the acquired company. Representation and
warranty insurers likewise will be alert for compliance lapses so that material violations can
be excluded from coverage.
Streamlining diligence
As much as possible, diligence should be streamlined to avoid having to go over the same
ground multiple times. Particularly in the context of M&A activity, the target company’s
appetite and capacity for responding to diligence requests can wane in the face of competing
queries from a myriad of business and legal teams.
Efficiencies can be achieved in the M&A context by minimising the number of requests
for the same information. For example, questions relating to sanctions risk assessment,
internal controls, testing and auditing, compliance training and management’s demonstrated
commitment to comply with applicable sanctions and export control law can be grouped
with similar questions about other relevant compliance matters. Further efficiencies can be
achieved if the various subject matter experts reviewing the responses to diligence queries
coordinate their efforts to avoid having multiple reviewers pore over the same document.
When onboarding business partners, deployment of multiple work streams should be
avoided. Questions relating to sanctions, anti-corruption, AML and export compliance
should be consolidated into one online or paper form rather than sprinkled throughout a
variety of documents and certifications. OFAC recently has signalled approval of this holistic
approach. In a release regarding its the 2019 enforcement action against Apollo Aviation
Group, LLC (Apollo), OFAC emphasised the importance of know-your-customer (KYC)
diligence – traditionally the purview of export and AML compliance guidelines – in the
context of sanctions compliance, noting ‘the importance of companies operating internation-
ally to implement Know You [sic] Customer screening procedures and implement compliance
33 31 C.F.R. § 800.401.
34 31 C.F.R. § 800.219; 31 C.F.R. § 802.215 (2020).
245
measures that extend beyond the point-of-sale and function throughout the entire business
or lease period’.35
What to do if historical breaches are uncovered

If the diligence process uncovers historical breaches, the parties must decide how to proceed.
If compliance issues are discovered while conducting a background check of a potential
customer or distributor, the way forward will depend on whether a relationship is off-limits
as a result of the discovery (for example, if the party is on an asset freezing or other applicable
sanctions list) or whether a trustworthy relationship can nevertheless be achieved in spite
of historical issues (perhaps by imposing and monitoring adherence to various compliance
terms and conditions).
In the M&A context, in most cases, the seller will learn of the historical breaches first
while preparing responses to the buyer’s diligence queries. At this point, it will be important
to consider whether a disclosure should or must be filed. In the United States, most disclo-
sure processes are voluntary rather than mandatory. However, given the substantial reduction
in potential fines for sanctions and export control violations that are voluntarily disclosed,
many companies will decide to make a disclosure so as to reduce potential exposure. In
some instances, the violation may be deemed not to warrant disclosure (such as a minor
record-keeping violation), in which case the seller may elect to implement corrective action
and disclose the matter to the buyer but not to the relevant agency.
A decision whether to disclose potential criminal conduct is not to be taken lightly in any
context, but the SAP case, described by the Department of Justice as the ‘first-ever resolution
pursuant to the Department’s Export Control and Sanctions Enforcement Policy for Business
Organizations’,36 does illustrate the benefits of disclosure in appropriate circumstances, in the
form of substantially reduced penalties.
However, there are circumstances in which disclosure is mandatory, for example, the
requirement under the International Traffic in Arms Regulations to disclose violations
involving arms embargoed countries, such as China.37 In addition, in some jurisdictions
there may be mandatory obligations to report known or suspected breaches of AML laws or
terrorist financing prohibitions,38 as well as specific obligations to report known or suspected
35 OFAC, ‘Apollo Aviation Group, LLC (“Apollo,” now d/b/a Carlyle Aviation Partners Ltd.1) Settles
Potential Civil Liability for Apparent Violations of the Sudanese Sanctions Regulations’, 31 C.F.R.
pt. 538, 3 (2019) [Apollo].
36 US Department of Justice, SAP Admits to Thousands of Illegal Exports of its Software Products to Iran and
Enters into Non-Prosecution Agreement with DOJ (2021); Export Control and Sanctions Enforcement Policy
for Business Organizations, US Department of Justice (13 December 2019), available at www.justice.gov/nsd/
ces_vsd_policy_2019/download.
37 22 C.F.R. § 126.1(e)(2) (2020).
38 See, e.g., the anti-money laundering reporting requirements that must be implemented in EU Member
States in accordance with Directive (EU) 2018/843 of the European Parliament and of the Council of
30 May 2018 amending Directive (EU) 2015/849 on the prevention of the use of the financial system for the
purposes of money laundering or terrorist financing, and amending Directives 2009/138/EC and 2013/36/EU
(OJL 156, 19/6/2018, at 43 to 74).
246
breaches of sanctions.39 Moreover, EU regulations giving effect to sanctions laws are accom-
panied by general obligations to report information that would facilitate compliance.
If the filing of a disclosure is determined to be warranted or required, or if an enforcement
action is commenced during the period of diligence, the buyer and its counsel may wish to
have input into the disclosure or response to the enforcement action. In these circumstances,
a joint defence agreement may be considered as a means of protecting privilege. Absent a
joint defence agreement, sellers should keep in mind that legal privilege does not attach to
responses to the buyer’s diligence queries. Furthermore, depending upon the jurisdiction,
disclosures to one’s own in-house counsel likewise may not be protected, in which case it may
be prudent to channel compliance diligence regarding potentially sensitive matters through
external counsel.
Remediation
Both parties can and should take steps to remediate compliance breaches and enforcement
risks identified during diligence.
In the lead-up to a merger or acquisition, a seller who discovers historical breaches bears
primary responsibility for stopping the unlawful conduct and beginning to implement
corrective actions. However, while some remediation steps (such as disciplining employees
involved in the misconduct) can be taken fairly quickly, other more systemic responses
(such as overhauling compliance programmes and procedures) may be best left to the buyer,
particularly if the buyer has a robust compliance programme that it intends to roll out to the
newly acquired business. In such instances, the seller may choose to implement only those
short-term remediation measures required to ensure that no further breaches occur prior to
the closing.
The buyer, however, is responsible for lapses that continue or occur on its watch, and
several recent OFAC enforcement actions discussed in this chapter (Keysight, Expedia, Stanley
Black & Decker, AppliChem and Kollmorgen) illustrate the importance of regular compli-
ance monitoring in the context of integrating newly acquired businesses.40 Thus, it is not
enough merely to have compliance policies and procedures and provide training; compa-
nies must also monitor compliance with their policies and procedures if they wish to avoid
enforcement action.
This can be of particular concern for newly acquired non-US companies. For instance, as
the Keysight and Kollmorgen cases highlight, parent companies should be particularly careful
when acquiring non-US companies that have pre-existing relationships with sanctioned
persons and jurisdictions that may continue despite directives from the parent company
to the non-US subsidiary that these relationships be terminated.41 As in both Keysight and
Kollmorgen, the non-US subsidiary may even undertake efforts to conceal continued business
with sanctioned parties from the parent company by falsifying corporate records. Because
of the risk that non-US subsidiaries may continue to do business with sanctioned parties,
39 See, e.g., the UK reporting obligation as extended by The European Union Financial Sanctions (Amendment of
Information Provisions) Regulations 2017.
40 See, e.g., Expedia (footnote 18, above); Stanley Black & Decker (footnote 18, above); AppliChem (footnote 18,
above); Kollmorgen (footnote 18, above).
41 See Keysight (footnote 18, above); Kollmorgen (footnote 18, above).
247
it becomes particularly important for companies acquiring non-US companies not simply
to rely on certifications from non-US subsidiaries that they have ceased such business, but
also to take pro-active steps to ensure that such business has actually ceased by insisting on
parent company visibility into the newly acquired non-US subsidiary’s corporate records.
Although in both Keysight and Kollmorgen, the buyer did not have knowledge of its newly
acquired subsidiary’s continued sales to Iran, in Kollmorgen OFAC detailed the buyer’s
‘extensive efforts’ to ensure post-acquisition compliance and determined the violations to be
non-egregious (imposing a base penalty of only US$7,434 rather than the US$750,000 that
would have been imposed if OFAC had found the violations egregious). In finding the
violations non-egregious, OFAC credited the buyer’s ‘extensive and preventative remedial
conduct’. However, in Keysight, in which OFAC did not make such a finding as to buyer’s
post-acquisition compliance efforts, OFAC found the violations egregious and imposed a
base penalty of US$1,051,460 (half the statutory maximum) – the lesson being that the more
post-acquisition diligence and remedial measures, the more likely the buyer is to receive leni-
ency from OFAC should violations continue to occur post-closing. The SAP case also illus-
trates the benefits of remediation. As noted by the Department of Justice, ‘SAP will suffer the
penalties for its violations of the Iran sanctions, but these would have been far worse had they
not disclosed, cooperated, and remediated.’42 The disclosure, cooperation and remediation
culminated in a non-prosecution agreement with the Department of Justice and administra-
tive agreements with OFAC and BIS.
In the context of agreements with customers and other third parties, the parties must
decide to what extent a breach of compliance obligations triggers termination rights. The
agreement also should clearly address the role that each party will play in remediation, in the
absence of a triggering breach.
Supplementing diligence with compliance representations and covenants

Agreements recording corporate transactions, whether with business partners or buyers or
sellers of businesses, contain numerous clauses designed to allocate risks associated with past
or future violations.
All agreements should contain basic representations and warranties about the identity and
ownership of the parties. To the extent that an agreement is intended to govern a relationship
between the parties going forward, it should include covenants of both parties to advise the
other if its circumstances change (e.g., if it or any of its owners is added to a sanctions list), as
well as covenants to comply with applicable sanctions and export controls, related informa-
tion exchange and termination rights, and, if applicable, rights and obligations of the parties
in connection with any required remedial action.
The recent OFAC enforcement action against Apollo illustrates the importance OFAC
assigns to regular compliance monitoring in the context of customer relationships.43 Although
the party to whom Apollo leased aircraft engines failed to comply with lease provisions that
prohibited the transfer of the engines to a country subject to US sanctions, and the violations
were disclosed voluntarily, OFAC nevertheless penalised Apollo, noting that:
42 US Department of Justice, SAP Admits to Thousands of Illegal Exports of its Software Products to Iran and
Enters into Non-Prosecution Agreement with DOJ (2021).
43 See Apollo (footnote 35, above).
248
Notwithstanding the inclusion of this clause, Apollo did not ensure the aircraft engines were
utilized in a manner that complied with OFAC’s regulations. For example, at the time,
Apollo did not obtain U.S. law export compliance certificates from lessees and sublessees.
Additionally, Apollo did not periodically monitor or otherwise verify its lessee’s and subles-
see’s adherence to the lease provision requiring compliance with U.S. sanctions during the
life of the lease.
Caution should be exercised, however, as including unmanageable audit requirements in

agreements with customers and other third parties can come back to haunt companies who do
not avail themselves of their audit rights. This is another area in which collaboration between
various compliance functions within a company can add value. For example, personnel who
conduct periodic audits for other purposes, such as financial or quality control, can be trained
to incorporate checks for sanctions and export compliance into their audit process.
In the M&A context, representations and warranties regarding past compliance are crit-
ical, but there is a tension between the objectives of the buyer and seller in negotiating
these clauses. Sellers often will prefer to couch these representations and warranties with
varying degrees of materiality and knowledge qualifiers, while buyers may prefer more
robust disclosures.
Purchase agreements typically also contain various provisions under which a buyer may
seek indemnification from a seller for breaches of representations and warranties. These
clauses impose monetary limitations on recovery, require claims to be made within a certain
time, and exclude claims for known exceptions disclosed to the buyer. Occasionally, however,
the parties may agree to include special indemnity provisions relating to potentially signifi-
cant issues. However, it is important to understand that the indemnification clauses, with the
representations and warranties, will define the limits of the seller’s responsibility to reimburse
the buyer for costs associated with pre-completion compliance lapses. As a result, buyers
must satisfy themselves during the diligence process that they are willing to bear any enforce-
ment risk not covered by the negotiated indemnity or representation and warranty insurance,
which typically excludes coverage of damages arising from known material violations.
Ongoing diligence expectations

In the end, irrespective of the scope of the representations and warranties that may be negoti-
ated, or how ‘clean’ the results of a diligence review may be, the enforcement agencies have
made clear their expectation that acquirors should conduct further diligence post-completion44
and that parties to commercial agreements should monitor compliance for the life of the
relationship.45 Among other things, OFAC clearly expects buyers to conduct heightened
diligence of parties known to do business with countries or entities subject to OFAC sanc-
tions, appoint management personnel who are committed to compliance, conduct regular
audits and risk assessments, provide ongoing training, and respond to red flags promptly.46 In
the context of commercial relationships, OFAC expects risk assessments, exercise of caution
44 See e.g., Stanley Black & Decker (footnote 18, above); Kollmorgen (footnote 18, above).
45 See Apollo (footnote 35, above), and discussion above at ‘Streamlining diligence’.
46 See e.g., Kollmorgen (footnote 18, above); Stanley Black & Decker (footnote 18, above); Expedia (footnote 18,
above); AppliChem (footnote 18, above).
249
when doing business with entities with known contacts with OFAC-sanctioned entities and
jurisdictions, compliance monitoring throughout the life of the relationship, training, KYC
screening procedures and, when applicable, the obtaining of compliance certifications.47
In light of these ongoing diligence and compliance expectations, buyers evaluating poten-
tial mergers or acquisitions and parties contemplating commercial transactions should ensure
that their pre-completion due diligence includes not only an assessment of the legal and
business risks discussed in this chapter, but also an evaluation of their capacity to meet the
expectations of regulators for ongoing diligence and compliance, as well as the enforcement
risks they will face if these expectations are not met.
47 See Apollo (footnote 35, above) and discussion above at ‘Supplementing diligence’.
250

GIR-Guide To Sanctions Edition 2 Unlocked

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

GIR-Guide To Sanctions Edition 2 Unlocked

Uploaded by

Copyright:

Available Formats

7

US Sanctions Enforcement by OFAC and the DOJ

David Mortlock, Britt Mosman, Nikki Cronin and Ahmad El-Gamal1

Learning of apparent violations through blocked or rejected transaction reports8

7 See 31 CFR Part 501.

Piercing the corporate veil13

Indirect contact with US financial institutions14

13 See OFAC ‘Enforcement Information for October 1, 2019’, at https://home.treasury.gov/system/

In an enforcement action against Société Internationale de Télécommunications Aéronautiques

Enforcement tracked to OFAC’s Framework for Compliance Commitments16

In an enforcement action against Eagle Shipping International, OFAC stated:

Scrutiny of the cryptocurrency industry17

15 See OFAC ‘Enforcement Information for February 26, 2020’, at https://home.treasury.gov/system/

Conducting transactions indirectly that would otherwise be considered a

Mitigating and aggravating factors

18 See OFAC ‘Enforcement Information for October 1, 2020’, at https://home.treasury.gov/system/files/126/

• awareness of the conduct at issue;21

• harm to sanctions programme objectives, including factors such as economic benefit to

• individual characteristics of the party in question, such as commercial sophistication and

21 See OFAC ‘Enforcement Information for April 9, 2019’, at https://home.treasury.gov/system/

24 See ‘OFAC Enforcement Information for April 25, 2019’, at https://home.treasury.gov/system/

Best practice for corporations in an investigation

31 31 CFR 501 Appendix A (I)(I).

Filing a licence application with OFAC is also not considered a VSD.33

Reporting to the DOJ

Considerations before self-reporting

Considerations before submitting a VSD to OFAC

37 See 18 USC 1344.

Considerations before submitting a VSD to the DOJ

39 31 CFR 501 Appendix A (V)(B)(a).

Other notification requirements

40 See DOJ press release of 15 April 2019, at https://www.justice.gov/opa/pr/unicredit-bank-ag-agrees-plead-guilt

55 31 CFR 501 Appendix A (II)(A).

© Law Business Research 2021

Zia Ullah and Victoria Turner1

Proportionate and risk-based programmes

What constitutes a good sanctions compliance programme?

We examine each of these five components in more detail.

Senior management commitment

compliance programme within their organisation and demonstrate compliance themselves,

Policies, procedures and internal controls

Training content should be developed so that it is relevant to the particular organisation.

compliance programmes generally, in the context of criminal proceedings, the following

Why is a sanctions compliance programme important?

breaches of sanctions are prevented, or recognised at an early stage so that appropriate

Consolidated compliance programmes

23 UK Bribery Act 2010, Section 7.

In an increasingly complex geopolitical environment, the most successful businesses will

Sanctions screening failures have figured prominently in a number of OFAC penalty

Regulatory expectations for sanctions screening

• Undertake comprehensive and holistic assessments of their transaction monitoring and

• Be based on the risk assessment of the institution;

In addition, the sanctions screening programme must include:

• Identification of all data sources that contain relevant data;

How sanctions screening fits into the sanctions compliance programme

Governance and risk assessment

Internal controls – due diligence

Internal controls – screening

The second consideration is the configuration of the sanctions screening programme.

• In its February 2020 OFAC settlement, Societe Internationale de Telecommunications

Internal controls – investigation

programme, GE implemented remedial measures, including developing a training video for

Sanctions screening in an investigation

• Undertake comprehensive and holistic assessments of their transaction monitoring and

• Be based on the risk assessment of the institution;